Category: specific companies

Specific companies

Posted on

How Google’s Blogspot Helps Spread Unwanted Software

Google claims to be on the right side of the spyware problem. Its May 2004 Software Principles set out lofty (if somewhat vague) standards for installation notice consent. Its Google Toolbar installer gives impeccable disclosure and obtains true, meaningful, informed consent. (See page 7 of my FTC Comments (PDF).) And Google is a victim of spyware: I’ve tested and studied a number of programs that add bogus search results and advertisements to Google.com results, tarnishing Google’s brand and siphoning advertising revenues that would otherwise accrue to Google.

Yet Google is far from blameless in the spyware battle. Of particular concern: Numerous blogs hosted at Google’s Blogspot service contain JavaScript that tries to trick users into installing unneeded software. At one such blog, users are offered a misleading popup that falsely claims "You have an out of date browser which can cause you to get infected with viruses, spam, and spyware. To prevent this, press YES now." If a user declines, the user is shown a second popup instructing "Click Yes to upgrade," followed by the first popup again. If the user declines a second time, a further popup claims "We strongly recommend you upgrade … Click YES Now!" See screenshots below.

A misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page. A misleading popup attempting to encourage users to accept a misleading installation attempt shown on a Blogspot page.

If a user presses yes, the user receives certain extra software, often including software that many users would call spyware. The screenshots above show an attempted installation of Elitetoolbar. I have also observed similar popups attempting to install software from Crazywinnings (repeatedly falsely claiming "you have to click yes to continue" if users initially decline the installation) and from Direct Revenue. See a video of the repeated Crazywinnings installation attempts. See also additional screenshots (1, 2, 3, 4) of other software installations and/or other infected Blogspot pages.

Who’s Responsible, and Who’s Able to Stop This Mess?

The popups at issue come from a service called iWebTunes.com. iWebTunes recruits blog authors by giving them music to add to their blogs or other web sites. But as users view the resulting blogs, iWebTunes shows software installation popups to attempt to foist extra programs onto users’ computers. These programs likely pay iWebTunes a commission for each resulting installation.

Users have reported unwanted software offered by Blogspot sites since at least September 2004. See a September 15, 2004 blog post complaining of spyware received from iWebTunes. I reported these problems to Google staff last week, including a specific example of an infected site. But so far Google has taken no action to stop the misleading popups on this site or others. A recent Blogspot tech support response admitted the problem, at least generally, but offered no specific approcah or timetable for resolution.

What should Google do? Google already disallows JavaScript within Blogspot.com posts. (Screenshot.) Apparently Google considers embedded JavaScript too risky — too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed. Disallow the JavaScript interface by which iWebTunes gets added to Blogspot pages, so Blogspot pages can no longer trigger misleading JavaScript and ActiveX popups from iWebTunes or elsewhere. Of course some JavaScript code is entirely harmless — like the scripts that embed Google AdSense ads, comments, or polls. But Google should hesitate to permit JavaScript from unknown or known-hostile sources.

So Google is in a natural position to stop this problem. But it’s not the only company that could take action here. As I pointed out earlier this month, VeriSign plays a key role in authorizing ActiveX security warnings like that shown above: The misleading popups are only shown if they carry valid digital certificates, and VeriSign is the primary issuer of such certificates. VeriSign’s existing rules disallow using VeriSign-issued certificates “to distribute malicious or harmful content of any kind … that would … have the effect of inconveniencing the recipient.” I consider the programs above to be harmful for their addition of unwanted software including toolbars, silent auto-updaters, and systems that track and transmit certain personal information. Especially when combined with the popups’ false claims ("… out of date browser" and "you have to click yes") and especially in light of the other misleading circumstances of installation, I see ample basis to conclude that the popups are malicious. These software installation attempts are therefore arguably prohibited by existing VeriSign rules. But I’ve seen little sign of VeriSign acting to enforce its rules. VeriSign’s code signing site offers no obvious standards or procedures for assessing or reporting violations.

More on Google and Spyware: Sponsored Link Advertising from So-Called Spyware Removers

These misleading Blogspot popups are not Google’s only ties to spyware companies. Eric Howes has posted a warning he calls Google & Anti-Spyware Products: Be Wary of Paid Search Results. Eric and others have put together a list of “rogue/suspect” anti-spyware applications that are at best useless (failing to detect or remove bona fide spyware) and at worst malicious (installing new spyware of their own). Comparing current Google advertisers for a search on "spyware" with Eric’s impressively detailed list yields surprisingly numerous matches.

According to Google’s Software Principles, companies should "keep good company" by avoiding doing business with those who don’t meet ethical standards. Yet Google somehow continues to show ads for — and accept advertising payments from — companies whose supposed anti-spyware tools merely take advantage of users’ spyware worries. Google has made some progress at cleaning up the most dishonorable advertising for anti-spyware searches, but its AdWords advertising remains a poor, unreliable source for consumers to find reputable, high-quality anti-spyware applications.

Posted on

Media Files that Spread Spyware updated January 3, 2005

Users have a lot to worry about when downloading and playing media files. Are the files legal? Can their computers play the required file formats? Now there’s yet another problem to add to the list: Will a media file try to install spyware?

When Windows Media Player encounters a file with certain “rights management” features enabled, it opens the web page specified by the file’s creator. This page is intended to help a content providers promote its products — perhaps other music by the same artist or label. However, the specified web page can show deceptive messages, including pop-ups that try to install software on users’ PCs. User with all the latest updates (Windows XP Service Pack 2 plus Windows Media Player 10) won’t get these popups. But with older software, confusing and misleading messages can trick users into installing software they don’t want and don’t need — potentially so many programs that otherwise-satisfactory computers become slow and unreliable.

Screen-shot of the initial on-screen display. If users press Yes, scores of unwanted programs are installed onto their PCs. Click to enlarge.Screen-shot of the initial on-screen display. If users press Yes, scores of unwanted programs are installed onto their PCs.

I recently tested a Windows Media video file, reportedly circulating through P2P networks, that displays a misleading pop-up which in turn attempts to install unwanted software onto users’ computers. I consider the installation misleading for at least three reasons.

  1. The pop-up fails to name the software to be installed or the company providing the software, and it fails to give even a general description of the function of the software.
  2. The pop-up claims “You must agree to our terms and conditions” — falsely suggesting that accepting the installation is necessary to view the requested Windows Media video. (It’s not.)
  3. Even when a user specifically requests more information about the program to be installed, the pop-up does not provide the requested information — not even in euphemisms or in provisions hidden mid-way through a long license. Clicking the pop-up’s hyperlink opens SpiderSearch’s Terms and Conditions — a page that mentions “receiving ads of adult nature” and that disclaims warranty over any third-party software “accessed in conjunction with or through” SpiderSearch, but that does not disclose installation of any third-party software.

Screen-shot of my Program Files folder, showing some of the programs installed on my test computer.Screen-shot of my Program Files folder, showing some of the programs installed on my test computer.

On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (Direct Revenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer.

I retained video, packet log, registry, and file system logs of what occurred. As in my prior video of spyware installing through security holes, my records make it possible to track down who’s behind the installations — just follow the money trail, as captured by the “partner IDs” within the various software installation procedures. When one program installs another, the second generally pays the first a commission, using a partner ID number to track who to pay. These numbers make it possible to figure out who’s profiting from the unwanted installations and, ultimately, where the money is going.

Figuring Out Who’s Responsible

Most directly responsible for this mess is ProtectedMedia — the company that caused my computer to display the initial misleading pop-up shown above. ProtectedMedia invited the installation of some unwanted programs, which in turn installed others, but ProtectedMedia could readily stop these behaviors, e.g. by disabling its misleading pop-up installation attempts.

Screen-shot of the icons added to my test computer's desktop. Note a new link to Dell -- an affiliate link such that Dell pays commissions when users make purchases after clicking through this link.Screen-shot of the icons added to my test computer’s desktop. Note a new link to Dell — an affiliate link such that Dell pays commissions when users make purchases after clicking through this link.

But who pays ProtectedMedia? As I started to follow the money trail, I was surprised to see that some of the unrequested programs receive funds from respected online merchants. Several of the spyware installations added new toolbars to my computer’s browser and new icons to my desktop. If users click through these links, then make purchases from the specified merchants, the merchants pay commission to the affiliates who placed these toolbars and icons on users’ PCs. Even large, otherwise-reputable companies pay commissions through these systems, thereby funding those who install unwanted software on users’ computers. In my testing, I received affiliate links to Amazon, Dell, Hotwire, Match.com, Travelocity, and others. Many of these links pass through affiliate tracking networks LinkShare and Commission Junction.

Of course, these merchants may not have intended to support spyware developers. For example, merchants may have approved the affiliates without taking time to investigate the affiliates’ practices, or the affiliates’ actions may be unauthorized by the merchants. (That’s what Dell said when I previously found Dell ads running on Claria.) In future work, I’ll look in greater detail at which merchants pay affiliate commissions to which spyware programs, and I’ll also further document which merchants purchase advertising from companies whose software sneaks onto users’ computers.

Other companies partially responsible for these practices are the providers of the unwanted software — companies that pay commissions to distributors foisting their software onto users’ computers. In general there’s no reason to expect honorable behavior by providers of unwanted software. But some of the programs I received come from big companies with major investment backing: 180solutions received $40 million from Spectrum Equity Investors; Direct Revenue received $20 million from Insight Venture Partners; and eXact Advertising (makers of BargainBuddy and BullsEye) received $15 million from Technology Investment Capital Corp. With so much cash on hand, these companies are far from judgment-proof. Why are they paying distributors to install their software on users’ computers without notice and consent?

The problematic installations ultimately result from the “feature” of Windows Media Player that lets media files open web pages. But most users will only receive the contaminated files if they download files from P2P filesharing networks. Of course, rogue media files are but one way that P2P networks spread spyware. For example, users requesting Kazaa receive a large bundle of software (including Claria’s GAIN), after poor disclosures that bury key terms within lengthy licenses, without even section headers to help readers find what’s where. Users requesting Grokster receive unwanted software even if they press Cancel to decline Grokster’s installation (details).

Ed Bott offers an interesting, if slightly different, interpretation of these installations. Ed rightly notes that users with all the latest software — not just Windows XP Service Pack 2, but also Windows Media Player 10 — won’t get the tricky pop-ups described above. Ed also points out that Windows Media Player displays of ActiveX installation prompt pop-ups are similar to deceptive methods users have seen before, i.e. when web sites try to trick users into installing software. True. But I think Ed gives too little weight to the especially deceptive circumstances of a software installation prompt shown when users try to watch a video. For one, legitimate media players actually do use these prompts to install necessary updates (i.e. the latest version of Macromedia Flash), and Windows Media Player often shows similar prompts when it needs new codecs or other upgrades. In addition, the unusually misleading (purported) product name and company name make it particularly easy to be led astray here. Users deserve better.

Posted on

Empirical Analysis of Google SafeSearch

Google offers interested users a version of its search engine restricted by a service it calls SafeSearch, intended to omit references to sites with “pornography and explicit sexual content.” However, testing indicates that SafeSearch blocks at least tens of thousands of web pages without any sexually-explicit content, whether graphical or textual. Blocked results include sites operated by educational institutions, non-profits, news media, and national and local governments. Among searches on sensitive topics such as reproductive health, SafeSearch blocks results in a way that seems essentially random; it is difficult to construct a rational non-arbitrary basis for which pages are allowed and which are omitted. Full article.