Sanford Wallace is accused of allegedly using half a million phished Facebook accounts to send 27 million spam messages in 2008 and 2009. He was indicted on July 6, but only voluntarily turned himself to the Federal Bureau of Investigation on Aug. 4. The indictment was made public after Wallace turned himself in.
He was charged with multiple counts of fraud, three counts of intentional damages to a protected computer and two counts of criminal contempt. If convicted on all counts Wallace could serve anywhere form 16 to 40 years in prison and pay $2 million in fines.
In his latest spam operation, Wallace allegedly created posts on victims' Facebook walls to drive traffic to affiliate marketing companies, according to the indictment. The affiliate marketing companies pay their members by the number of clicks they deliver. Wallace evaded Facebook's spam filters and sent spam messages to user inboxes on the social networking site. Users clicking on the link were sent to a malicious Website which phished their login credentials. He allegedly wrote a script which did all the work, the court papers said.
Facebook has a big problem with malicious applications on the site that send spam in response to updates users post on their walls. The spam asks users to fill out fake surveys and redirects users to sites with malware. Sophos researchers list details of the latest Facebook scams almost every day on the NakedSecurity blog.
Wallace, released Aug. 4 on a $100,000 bond, is set to appear in the United States District Court for the Northern District of California in San Jose on Aug. 22.
Since forming Cyber Promotions in 1995, Wallace has faced civil lawsuits under the federal CAN-SPAM Act from social networking sites MySpace and Facebook. He used similar phishing tactics that he used on Facebook on MySpace users as well. The judgments from those cases totaled nearly $950 million in damages. After Facebook won its lawsuit in October, the case was then referred to the United States Attorney for possible criminal charges.
Even though he was banned from Facebook as part of the lawsuit, he created a profile in January under the name David Sinful-Saturdays Wallace, according to the indictment which also charged Wallace of contempt of court for logging into the account in April while on a Virgin Airways flight in 2009.
"We applaud the efforts of the U.S. Attorney's Office and the FBI to bring spammers to justice and will continue to pursue and support both civil and criminal consequences for spammers and others who attempt to harm Facebook or the people who use our service," Facebook said in a statement, noting that Wallace "now faces serious jail time for this illegal conduct."
Wallace and Cyber Promotions may have sent as many as 30 million junk emails a day in the 1990s. Before that he was best known for sending out "junk faxes." His tactics earned him nicknames "Spamford" and "spam king."
Wallace has also been previously fined $5 million by the Federal Trade Commission for infecting victims' computers with spyware and then selling users a $30 program to remove it. In May 2006, Wallace and his other company Smartbot.net were ordered by a federal court to turn over $4.1 million. He was banned from AOL, CompuServe and Concentric Networks at one point for his spam activities.