Firms' Ad Bucks Also Fund Spyware
500 members are among the unwitting backers of software that sneaks
Times Staff Writer
May 9, 2005
Blue-chip companies are
sponsoring more than TV shows and golf tournaments to promote their
products: They are inadvertently underwriting computer spyware too.
Larry Ingram found that
out last month after spyware infested computers owned by Minnesota's
Hennepin County. The uninvited software spewed ads for such companies
as car maker Mercedes-Benz and online travel agency Travelocity.com.
Ingram, who oversees security
for the county's 11,000 computers, said those companies might have
relied — perhaps unknowingly — on unscrupulous advertising
But the software that invaded
Hennepin County penetrated more than 500 other workplaces. Those spyware
ads hint at how much of the cyber-world's latest plague is financed
in part by well-known companies.
Cash from blue-chip companies
"drives much of the spyware polluting the Internet today,"
said Joe Stewart, a Lurhq Corp. security researcher who traced the
attack back to the underlying ads.
Spyware — a term
encompassing both ad-supported programs that users don't want and
more-virulent software that steals financial information — is
the leading complaint of computer owners. It often sneaks into computers
when users download a piece of more desirable software, such as a
screensaver or file-trading program. Once there, the software typically
shows pop-up ads until a user can figure out how to uninstall it —
rarely an easy task.
A number of federal bills
aim to restrict the worst practices of the scourge, which is increasingly
cited as the greatest threat to the growth of electronic commerce.
Yet deliberately or not, money for spyware comes from the coffers
of Fortune 500 companies.
"We're funding the
business models because we don't know any better," said Clinton
Schmidt, the director of online marketing at 1-800 Contacts Inc.,
a publicly traded Sandy, Utah-based company that bills itself as the
world's largest contact-lens store.
Mercedes-Benz USA and Travelocity
said their pitches were placed in violation of company policies.
"We would not authorize
anything installed in such a manner," said Mercedes Internet
marketing manager Lisa Cooper. She said the company had been testing
a new ad network and hoped that the spyware appearance wouldn't be
Travelocity spokesman Joel
Frey said his company didn't know about the incident until contacted
by The Times.
"We can assure you
that it is against our policies for ads to appear in unwanted software,"
Frey said. "We're working fast and hard to get to the root cause."
That might be difficult.
Unintended placement isn't unusual on the decentralized Internet,
advertising specialists said, because the merchants are often several
steps removed from their own advertisements.
Here's how it works:
Instead of buying ad space
directly, companies usually dole out money to an agency. Those agencies
often turn to outside buyers specializing in Internet marketing. And
the buyers can split the funds even further, allocating some for banner
ads paid for based on how many people view them; some for "pay-per-click"
ads paid for based on the number of clicks for further information;
and some for "pay-per-sale" ads, in which publishers of
Web pages get a commission for electronically referring eventual buyers
to the merchant.
In each of those cases,
the Internet ad buyers can turn to advertising networks using thousands
or even tens of thousands of so-called affiliates. The networks take
a percentage of the spending and give another cut to the affiliates,
which range from one-person Web retailers to major companies that
distribute free, ad-supported software.
The problem is that the
networks and the affiliates — and the countless "sub-affiliates"
working for the affiliates — have an incentive to generate the
most viewers, clicks and buyers they can. That leads some of them
to trick people into installing spyware that produces a never-ending
stream of come-ons.
If an affiliate slips a
deceptive piece of software into someone's personal computer and persuades
the owner to buy something, the transaction could be passed through
three or four businesses — each taking a cut — before
the affiliate network hands off the customer to the merchant.
Some security experts estimate
that spyware and its cousin, adware, generate $500 million to $2 billion
a year in revenue for middlemen.
"The whole system
seems like it's been designed to reduce accountability," said
Ben Edelman, a Harvard graduate student who has testified before Congress
on spyware practices. "It's a nightmare of backroom deals."
Schmidt, of 1-800 Contacts,
said most merchants couldn't tell what traffic was legitimate and
what wasn't. The affiliate networks, which could tell, often don't
bother. "They're all taking the 'hear no evil, see no evil' approach,"
Some companies try harder
than others to police where their ads appear. Schmidt recently bought
tools to check into his company's biggest online referral claims and
threw out a third of the commissions as improperly earned. The worst
offender, he said, was a "drive-by download" that installed
spyware without asking and then claimed credit when infected users
went to the 1-800 Contacts website on their own.
Other companies don't seem
to care, said Elizabeth Cholawsky, a vice president at affiliate network
Commission Junction, which had about $60 million in sales last year.
she said, "just want a big program."
That's a common sentiment
in what is again a booming market. Internet ad spending rose more
than 30% to nearly $9.6 billion in 2004, according to the Interactive
The Hennepin County case
illustrates how that increasing pool of money is financing some inventive,
if undesired, activity. Employees there were tricked with what's called
"pharming," an insidious successor to "phishing."
In phishing attacks, con artists send official-looking e-mails to
draw people to pages resembling established sites. With pharming,
the e-mails aren't needed.
When county workers typed
a Web address such as Google.com, their desktop computers contacted
a central machine in the internal network that is supposed to translate
the letters into a numerical address for a computer at Google.
But in the largest incident
of pharming to date, unknown hackers had scanned thousands of such
machines around the country, looking for firms that hadn't fixed a
flaw in older versions of Microsoft Corp. software. They then fed
misinformation to the flawed machines, duping them into sending employees
to stand-ins for many popular websites.
The impostor sites presented
browsers with commercially oriented search engines like those that
can appear when users mistype common website names, as in yhoo.com
and ebya.com. Depending on what users said they were looking for,
such as cars or airplane tickets, the search engines took visitors
to ads including those for Mercedes and Travelocity.
The invisible glue between
one search engine and those ads — identified by Stewart through
the electronic codes being transmitted — was a pay-per-click
advertising network called FindWhat.com Inc. FindWhat gets paid every
time someone clicks on an ad for a merchant, and Web businesses that
refer him or her to FindWhat also get a fee — including, in
this case, a business apparently tied to the hackers.
"The big-name companies
are advertising on legitimate networks that utilize pay-per-click
search engines to drive traffic," Stewart said. "Unfortunately,
the pay-per-click model lends itself to abuse by rogue affiliates
who will hijack users."
FindWhat President Phillip
Thune said an affiliate's sub-affiliate, which had since been dismissed,
had violated FindWhat's policies in pursuit of a referral fee. But
a spokeswoman said the publicly traded Fort Myers, Fla., company never
learned who the sub-affiliate was and couldn't be sure the main affiliate
wouldn't strike a similar deal soon — even with the same sub-affiliate.
That doesn't impress activists
like Edelman, who say FindWhat affiliates have left their calling
cards in other unwanted software.
"That happens to FindWhat
over and over," Edelman said. "They've allowed it to fester
to make them money."
Some of the biggest search
companies, including Yahoo Inc., are also putting money behind programs
some consumers can't stand. Yahoo's Overture ad division, recently
renamed Yahoo Search Marketing, has a long-standing relationship with
Claria Corp., an ad-supported company that installs pop-up ad software.
Yahoo places copies of its clients' ads on Claria, splitting revenue
that results from that business. In a withdrawn filing for a public
stock sale last year, Claria said the arrangement brought in 31% of
its $90 million in 2003 revenue.
"That means they're
making Overture a lot of money as well," said Gary Stein, a Net
advertising analyst at Jupitermedia Corp. "Companies have issues
with Claria, but I don't imagine it would go away."
Goldman Sachs last week
estimated that Yahoo took in $20 million annually from Claria and
Intermix Media Inc., an adware company recently sued by New York Atty.
Gen. Eliot Spitzer. A Yahoo spokeswoman said Claria met the company's
standards for informing users what it was doing.
Claria and its largest
competitors — 180Solutions Inc., WhenU.com Inc. and DirectRevenue
— disclaim the spyware label, calling their programs "adware."
But all have been faulted for vague or insufficient disclosures to
consumers and for making their programs difficult to remove from computers.
Claria's software, for
example, usually isn't listed by name in the "add/remove programs"
menu on computers, making it harder to delete. And users who click
on ads for Claria products see installation screens that don't say
what will happen to their computers until after the user indicates
that they accept.
Claria Chief Marketing
Officer Scott Eagle said the company had recently made its terms clearer
and its removal easier.
Claria competitor 180Solutions
makes pop-up software that is installed automatically through browser
security holes. Although the firm said it was cracking down on that
practice, it still offers bounties for each installation, a model
that analyst Stein said encourages "all kinds of sneaky tactics."
Recent 180Solutions ads ran on behalf of J.P. Morgan Chase and Disney.
"Most of their advertisers
are mainstream companies," said Ari Schwartz, associate director
of the Center for Democracy and Technology, a nonprofit public policy
Just as not all merchants
care how they get their business, not all affiliate networks are equally
strict. Take Commission Junction, which is owned by Westlake Village-based
ValueClick Inc. and drives computer users to Citigroup Inc.'s Citibank,
Home Depot Inc. and IBM Corp.
Until this month, Commission
Junction's 70,000 affiliates included 180Solutions and a firm called
Exact Advertising, which makes a "Bargain Buddy" pop-up
that has been installed through a security flaw in Web browsers. Bargain
Buddy recently carried ads for 1,000 merchants, including Dell Inc.,
British Airways and Gap Inc.
After The Times asked about
the practices of Exact Advertising and 180Solutions, Commission Junction
said it was going to stop doing business with both.
Some say fed-up computer
users are the ultimate police force. Dell, the world's largest maker
of personal computers, withdrew its advertising from the biggest adware
companies a year ago. It quit working with Exact Advertising last
month after customers complained.
When Dell's anti-spam or
anti-spyware policies are abused, Dell spokeswoman Jennifer Davis
said, "if we don't find out about it, a customer is going to
tell us." But others, including Lurhq's Stewart, don't think
consumers understand enough about what's going on to pressure the
Far from fighting back,
he said, "before long, they'll start to think the Internet is
supposed to have pop-up ads on every page."
original link: http://www.latimes.com/business/la-fi-sponsor9may09,0,4336962.story?coll=la-home-business
If you want other stories
on this topic, search the Archives at latimes.com/archives.
Copyright 2005 Los Angeles
more information on spyware and spyware removal services click on
the article links below and to get info beyond Spyware and Adware
& Disclaimer Policy
To contact us: email@example.com