MOLDOVA is a former Soviet republic, a croissant-shaped nation the size of Maryland, surrounded by Ukraine and Romania. It is not, as a friend of mine guessed, the fictitious country in the Marx Brothers movie Duck Soup. Yet it figured recently in a scheme as tangled and improbable as anything Prime Minister Rufus T. Firefly of Freedonia might have cooked up a case involving pornography, the Internet, telecommunications fraud, and a Trojan horse. An examination of the case brings to light some of the perils of our nascent electronic world -- a world in which everything from "sites" to telephone calls to countries themselves is sometimes only virtual.
Last December and January, Internet users might have found themselves, after caroming around cyberspace as their predilections dictated, on Web sites called sexygirls.com, 1adult.com, and beavisbutthead.com. Each of these sites promised free "adult" pictures. First, though, would-be voyeurs needed to download a viewer application -- a program that would allow them to display the photos on their personal computers. There was nothing especially suspicious about this: Internet devotees routinely download software, from new versions of Netscape 's Web browser to video games such as Doom and Quake to Budweiser's Bud Ice screen saver.
This particular program, however, was different. It was what is known infamously in computer circles as a "Trojan horse" -- a program that fulfills its stated function while secretly carrying out another. The most common type of Trojan horse, according to Dan Geer, the vice-president of CertCo, an electronic-commerce security firm in New York, is one that records your name and password as you log on to an electronic account and then passes them along to someone else -- who might be able to read your E-mail, draw on your checking account, or gain access to some other private domain. Trojan horses are probably not very common: most people would know if they were being stolen from, and most people's private information is not worth the trouble to steal or the risks involved. Still, no one really knows how prevalent the programs are. As Geer laments, "The computer-security arena is plagued with underreporting."
In the case involving Moldova, while the downloaded program was providing access to the pornographic photos, a hidden regiment of subcommands was ransacking the user's computer. First the program ordered the volume on the computer's speakers turned off, to prevent the usual telephonic sounds a modem makes. Then it hung up the line to which the modem was connected and dialed a number in Moldova. That call was answered by a computer that reconnected the user to the adult site. The promised photos -- or at least one of them -- finally appeared on the screen. The viewer had no idea that while he was looking at pictures he was paying for a transatlantic phone call.
The assault didn't end there. Even after the viewer left the site, disappointed with what was often only a single photo, the phone call continued. The Moldovan horse, as it might be called, didn't allow the modem to hang up even when the customer signed off the Internet -- at which point a modem normally would. Only when the computer or the modem itself was shut off did the phone call terminate.
WHO stood to make money in this scheme? To answer that question we need to look at what happens when a person calls a foreign country. International phone calls involve separate charges levied by each carrier concerned. American customers pay a single fee per call to their long-distance provider -- for example, AT&T -- and that provider pays the foreign company its share. Phone companies in developing nations are often in dire need of customers. Few of the nations' citizens have phones, and not many calls come in from abroad. So the companies sometimes contract with entrepreneurs in the United States and elsewhere who set up phone-sex lines or other services that require calls to the country. U.S. long-distance rates are governed by the Federal Communications Commission, but for many foreign companies the sky's the limit: they can charge enough to cover sizable fees to their partners -- the providers of the phone sex or other "audiotext" product -- and still make a profit themselves. Pornography needn't be part of the arrangement, but there aren't many better ways to keep people on an expensive phone call.
The involvement of foreign phone companies in teleporn is nothing new, nor is it illegal in itself. "There's a huge business in international pay-per-call sex lines," says Eileen Harrington, a Federal Trade Commission specialist in telecommunications fraud. One reason is that if a phone-sex service uses a 900 number, as most U.S.-based services do, inadvertent customers can go through a grievance process and are likely to have their charges waived, whereas if a foreign phone company is owed money, the victims are usually held accountable by their own long-distance carriers for the charges. In addition, many people apparently find calls to Haiti, Antigua, or Montserrat easier than 900 numbers to explain to their spouses.
Again, none of this is illegal, so long as advertising clearly discloses the cost of the phone call. There are also at the moment no laws restricting pornography on the Internet, and adult Web sites and newsgroups abound there. What is illegal is deception in commerce, as in a case last fall when people found messages on their pagers or answering machines asking them to call back to learn about job openings or free vacations. The ten-digit numbers looked just like mainland U.S. numbers but in fact were for Guyana, on the northern coast of South America, and some Caribbean islands, where the phone companies charge exorbitant rates. The person who answered would keep the victim on the phone as long as possible, generating a hefty kickback from the phone company.