FTC shuts down spyware Web sites
Company selling harmful program, authorities allege
SEATTLE - Consumers across the country who bought a Washington company's anti-spyware program could be unwittingly allowing malicious software to upload onto their computers. The Federal Trade Commission recently shut down the Spokane company promoting software called SpywareAssassin after investigators discovered it didn't work, leaving consumers vulnerable to pop-up ads, privacy invasions and other threats, according to newly unsealed court documents. A federal judge in Spokane issued a temporary restraining order on March 8 against the software's promoter, Thomas Delanoy, who says that he has been advised by his attorney not to comment on the case. Meanwhile, computer experts say that with the rapidly increasing infiltration of exploitative software on personal machines, all computer users, whether they paid for the allegedly useless SpywareAssassin or not, should seek protection against unknown software downloads.
All types of danger
Spyware is now a common term for software that, without the user's knowledge, tracks activities on the computer and then transmits information over the Internet to someone else who uses it, presumably for marketing or theft. There are several types of spyware, from what experts describe as passive, such as cookies, to the more malicious, such as browser hijackers, key loggers (recording all keystrokes, including passwords or credit card numbers), viruses and automatic phone dialers. According to the FTC, the makers of SpywareAssassin, MaxTheater and their affiliates, used e-mails and Internet ads to market the bogus software, then used deceptive pop-ups to scare consumers. "You have dangerous spyware virus infections on your computer," the pop-ups declared, when there was no way to know if the computer contained spyware. "This spyware threat is very, very real," said Steven Gribble, a computer science professor at the University of Washington. "So, this company, assuming the FTC was correct, was capitalizing on this very tangible, very real threat. The metaphor I would use is a company selling snake oil to protect you against the bird flu." SpywareAssassin.com told viewers that there was a 99 percent chance their computers were infected with adware or spyware and then purported to create an "ironclad line of defense" against them. No one knows for sure how many computers are infected, although it is "frighteningly high," Gribble said. He estimated that between 75 percent and 80 percent of computers have at one point been given spyware. "This is the reality of living on an open Internet. You now need anti-virus software, anti-spyware software and you need anti-spam software, and you need firewalls, as well," said Hank Levy, another UW computer science professor.
Gribble and Levy published a report last September, apparently the first academic attempt to quantify the proliferation of spyware, showing that 69 percent of organizations using the UW network, such as academic departments, had at least one host computer profile infected with spyware. The professors emphasized the infiltration on campus despite UW's network security protocols. The UW study found that just four common spyware applications affected 1,587, or 5 percent, of networked computers on campus. But many experts believe that there are more than 800 distinct spyware applications actively floating around the Internet. The number of times those applications are spread increases exponentially as millions of users download free software, often called shareware, which allows spyware to piggyback through the download. Some of the most common shareware that brought spyware along with it to UW computers were Kazaa and Morpheus, programs that help people share files, according to the UW study. Piggybacking on downloads also can allow a particular type of spyware to open back doors through network firewalls. Acting on consumers' fears of the spyware phenomenon, Congress last fall tried to pass the SPY ACT (Securely Protect Yourself Against Cyber Trespass.) The measure passed the House but lingered in the Senate. The measure is now before Congress again, but lawmakers have rewritten portions to exclude other, more common types of marketing tools, such as cookies. There is also a new exception for anti-piracy programs, such as Microsoft's Windows Genuine Advantage, which interacts with a computer to determine if the software running on it was properly paid for and licensed.
In Olympia, meanwhile, the state House last week passed a bill that would prohibit anyone from transmitting software to deceptively modify another's computer settings, collect personally identifiable information through key logging, prevent the installation or uninstalling of programs or otherwise take control of the other person's computer. The bill also would restrict the use of spyware for unrequested marketing. The bill, HB 1012, must go before the state Senate. If enacted, Washington would be one of the first states to prohibit the use of spyware. Twenty other states are considering similar laws this year, according the National Conference of State Legislators. No one testified against the bill, but such legislation could curb the practices of some Washington businesses, such as Bellevue-based 180Solutions, which have programs that allow it to display advertising targeted to a computer user's current activity, such as browsing the Internet for a particular product.
The problem with spyware is likely to get worse before it gets better, Gribble said. "There are programs out there that purport to be anti-spyware that you can download for free that are actually spyware," he said. SpywareAssassin charged consumers $29.99. In addition to the phony detection of spyware, the software does not remove "any and all," as it advertises, nor even substantially all of the spyware installed on a computer, the FTC said. Most of the Web sites promoting SpywareAssassin have been taken offline. According to captured images of the sites, MaxTheater also offered webmasters a 70 percent cut, or $21, for each $30 sale of the software download. Mona Spivack, lead attorney in the FTC case against SpywareAssassin, said that there are likely many consumers who bought the software who think they are protected against spyware but could be running malicious software on their computers. Spivack declined to say how many consumers may have purchased the software but said the promotion was spread nationwide.
By CANDACE HECKMAN
What is Adware?
Pharming for Your Identity
Phishing Flaw in Alternate Browsers
Phishing Hole Discovered in Internet Explorer
Avoiding a Phishing attack