dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3330
eburger68
Premium Member
join:2001-04-28

3 edits

3 recommendations

eburger68

Premium Member

"Our sleazy affiliates did it..."

Hi All:

If there is one line that I am getting quite sick of hearing from adware vendors, it is the "we're-not-responsible-because-our-sleazy-affiliates-did-it" excuse. Most adware vendors use "pay-per-install" affiliate distribution networks of one sort or another to incentivize a wide range of third-parties to install their software on users' PCs. As noted in the several discussions of the "Spazbox incident" ( »Anatomy of a Drive-by-Install ), CDT, Inc. -- the company that was recently acquired by 180solutions and that also happens to be behind some of the software installed by Spazbox -- employs these very kinds of distribution arrangements through its LoudCash/SeachBarCash affiliate programs -- for an eye-opening read, see those respective home pages:

LoudCash
»www.loudcash.com/?sectio ··· programs

SearchBarCash
»www.searchbarcash.com/?s ··· programs

180solutions itself employs a similar distribution program:

»180solutions.com/pages/p ··· ers.aspx

And in the face of numerous complaints of "force-installs" of its software on hapless victims' PCs, 180solutions has liberally resorted to the "our-affiliates-did-it" excuse. After Ben Edelman pointed out the problem with "force-installs" of 180's older nCase software to a Seattle Post-Intelligencer reporter, 180 rep Todd Sawicki acknowledged that there was indeed a problem ( »seattlepi.nwsource.com/b ··· o02.html ):
said by Seattle PI:
[Sawicki] said n-Case could get bundled with other free software programs without the company’s knowledge. And that could lead to the n-Case software fastening to individual’s computers without their knowledge, he said.
But in a later interview with the LA Times, Sawicki attempted to blame the problem on rogue distributors outside of 180's control, even attempting to portray adware vendors themselves as victims ( »www.qcf.com/pdf/article1 ··· 2604.pdf ):
said by LA Times:
The people who manufacture the code that becomes spyware argue that they are not purposefully setting out to irritate millions of people. They contract the distribution of their software to third-party vendors. Sawicki of 180solutions said his industry had been victimized, too.

"We're not trying to be some company stomping on consumers," he said, but acknowledged the company had not been careful enough in overseeing the vendors it hired to distribute its programs. (...)

Sawicki blames the problems on "guys in Bermuda, offshore. They're the online equivalent of spammers. We want them to die a slow and painful death."
180 isn't the only adware vendor to resort to this excuse. In fact, I hear this excuse all the time from dodgy anti-spyware vendors (listed on the Rogue/Suspect Anti-Spyware page) whose products are pushed on consumers through sleazy advertising and installation methods.

I note all this in order to call your attention to a new piece from Wayne Porter at ReveNews that decisively punctures this excuse:

SpazBox- Just Because You Don't see it Doesn't Mean It Isn't There
»www.revenews.com/waynepo ··· 588.html

Reflecting on the question of who to blame for the Spazbox incident, Wayne puts the matter in very straightforward terms:
said by Wayne Porter:
Marketers continue to ponder the dangers of doing business with some adware partners. In many cases it isn’t so much the adware they find offensive (although some do) it is because the distribution methods are so controversial.

There are methods that sometimes cross the line into unethical and maybe even illegal. Clearly adware companies find this a fatal sticking point when talking to security companies like my own. They try to point to the value of their application for the consumer while at the same time they point the blame of unethical distribution into the hands of “rogue affiliates”.

Understanding the "Mule"

Who better to blame? If you recall my short satirical “Marty and Joe Series” written years ago I called the tactic “The Mule”. Setup an affiliate account, perform all kinds of dirty deeds and then terminate the affiliate. Case closed- the offender has been shot. No doubt there are real live cases of affiliate abuse, but more and more, as I scrutinize packet logs, text logs, traffic patterns and blend in my knowledge of spyware with performance marketing I am beginning to sense the “rogue affiliate” is actually a pack animal specifically breed by calculating marketers for the sole purpose of plausible deniability.
I urge you to read the rest of Wayne's meditation on this problem. I should note that I recently gave an interview in which I also addressed the question "who's responsible." My response in full:
said by Eric Howes:
The interesting thing about spyware and adware is that this kind of aggressive, malicious software is created not by the kinds of people that are responsible for traditional malware (viruses, trojans, worms), but rather by real businesses with real business plans. These are commercial interests in the advertising industry who are reponsible for this problem by and large, and that makes the problem immensely more difficult to solve. Not only are these businesses being supported by advertisers (companies who pay money to get their product or service in front of eyeballs on the internet), but they are increasingly receiving cash infusions from venture capitalists (VCs).

That said, however, most security researchers will tell you that malware problems are converging -- that viruses, worms, and trojans are increasingly being created for commercial purposes (as spyware and adware have always been) and that spyware and adware are increasingly taking on the functional characteristics of traditional malware. And much of this stunning development and convergence is happening because of the rise of online groups that can only be described as borderline criminal gangs.

I've been urging people to have a look at the recent testimony by Ari Schwartz of the Center for Democracy and Technology (CDT) before a House sub-committee on January 26 of this year.

»www.cdt.org/testimony/20 ··· artz.pdf (PDF)

In that testimony Mr. Schwartz gives a useful description (with helpful flow charts) of the dizzyingly complex, multi-level distribution networks that are currently being used to spread adware and spyware online. At the top layers of these networks lie apparently legitimate advertising companies and the advertisers and VCs who fund them in one way or another. At the bottom layers of these networks lie borderline criminal gangs (Brian Livingston calls them the "web mafia") who use security exploits and other unethical means to stealth-install advertising software on victims' computers or bamboozle hapless web surfers into clicking through boxes they don't fully understand.

What fuels these networks and keeps them running is money: the advertisers (many of them large, respectable companies, as documented by Ben Edelman -- see »www.benedelman.org/) plow money into these networks when they purchase advertising in their endless quest for impressions and click-throughs on users' desktops. The adware companies take that money, and the cash infusions from VCs eager to score hot investments, and pump it into these multi-level distribution networks, offering pay-per-install agreements to their distributors. The distributors themselves spread that pay-per-install money around to their own partners and affiliates, who might employ still more layers of distributors.

The result, of course, is entirely and depressingly predictable: the apparently respectable companies at the top rake in the advertising and VC money; the borderline criminal elements at the bottom and throughout the distribution networks rake in the pay-per-install money; the advertisers themselves rake in millions of ad-impressions on users' desktops; and millions of innocent web users see their PCs trashed by adware and spyware that is installed on their PCs without their full, meaningful knowledge and consent.

Still worse, the respectable folks at the top avert their eyes and pretend not to know what's going on at the bottom. When confronted with specific examples of unethical installations, they pronounce themselves "shocked, shocked!" that such things would be happening and make all kinds of self-important noises about cleaning up their distribution networks. And so they set up or join toothless "industry self-regulation" rackets to paint the veneer of legitimacy over their sleazy business practices. The slickest of them may even get themselves appointed to federal privacy review boards, amazingly enough.

Meanwhile, the commissioners at the FTC declare that we don't need any new legislation, and that they've got the problem firmly under control. Just why, then, we have one of the nastiest, most destructive and prolific of malware-adware firms sitting up in New York City happily plying its trade and threatening critics completely unhindered by the FTC, or just why one of the biggest distribution hubs in the world for CoolWebSearch exploits is being hosted out in California and being allowed to continue merrily trashing millions of victims' PCs is never fully explained, however.

This is what's happening right now with spyware and adware. The parties responsible for driving this problem are not pimply-faced hackers without social lives. No, the guilty parties are nicely dressed business people with high-priced MBAs, slick business plans, generous VC funding, and aggressive commercial designs on advertising markets. That's the sad and scary reality of spyware and adware these days.
For a further discussion of the underlying commercial aspects of spyware and adware, see my comments here:

»What's the *motivation* for hijack-ware?

And for a discussion of VCs and advertisers supporting adware companies, see Ben Edelman's site:

»www.benedelman.org/

As always, happy reading.

Best,

Eric L. Howes

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

I think all that is a lesson for any developer who has a good program or application that everyone likes..on how they then proceed to market it. Once you let an affilate or group get their hooks into the pie..you lose some control. And if you do not check them out first..you end up carrying their reputation to your grave.

Messenger Plus comes to mind on all that. I bet the developer wishes they could turn the clock back on that one.

JimIT
join:2003-06-25
Fort Worth, TX

JimIT to eburger68

Member

to eburger68
Very interesting read. Thanks!
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to eburger68

Member

to eburger68
And if you beleive the spyware authors i have some land on the moon ill sale you cheap. It even has a house built there....

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

1 recommendation

Doctor Four to eburger68

Premium Member

to eburger68
Blame your affiliates, blame the user: it sounds an
awful lot like one of the tactics spammers use to
avoid being responsible. Reminds me of Crissman's
Corollary to Rule #2 of the Rules Of Spam:

"A spammer (or in this case spyware vendor), when
caught, blames his victims."
Bobby_Peru
Premium Member
join:2003-06-16

1 edit

Bobby_Peru to eburger68

Premium Member

to eburger68
This is very reminiscent of SpamCop members successful effort to hold Echostar Communications Corp / Dishnetwork responsible for the deluge of UCE concerning their products and services, back in 2000-2001, though the present circumstances are much more nefarious, complex and damaging.

The usual (corporate) pathology was exhibited back then too:

1) Denial of existence of a problem.
2) In the alternative, if the alleged situation even exists, it's not a problem.
3) In the alternative, if the alleged situation even exists, and it is even a problem, it's not our problem.
4) In the alternative, if the alleged situation even exists, and it is even a problem, and even if it's somehow our problem, why should we really care.
5) In the alternative, if the alleged situation even exists, and it is even a problem, and even if it's somehow our problem, and even if we should somehow care, we can't do anything about it anyway.
6) In the alternative, if the alleged situation even exists, and it is even a problem, and even if it's somehow our problem, and even if we should somehow care, and even if we can do something about it, it will take a very very very long time.

LARTS (email, postal, and phone) were aimed directly at the apparent TOP of the profit path, Echostar/Dish. It seemed to be successful, relatively quickly.

They were told that they would be held accountable for the actions of those below them (no matter what they choose to call them: distributors, affiliates, partners...). They were told to immediately inform those below them to immediately cease and desist, and to immediately include strong contractual protections against any such future actions. They apparently were convinced that continuing their actions was less beneficial than the risk of the potential promised actions.

While the present situation is much more complex, the damages are also much greater.

Like you have said, "plausible deniability" attempts are employed, but something is always being PUSHED. There is the clear path to at least one direct benefactor to go after, and that is whatever product/service/company is being "crapwarevertised"!

If they do not want the potential negative effects of campaigns similar to SpamCop members and EchoStar, then they likewise need to quickly hose themselves off by reigning in whomever they are paying for their "Advertising".

Side Note: It may seem like quibbling, but consider that we are falling into a trap with the almost reflexive use of the term "consumer". That is exactly all these folks see every even somewhat sentient being, exactly what their dangerous and damaging activities are all about, and exactly how they desire us to also view ourselves, always (Security, 'tinfoil hats' and all, will take on a new meaning when Sony aims to beam sights, sounds into brain succeeds). The very dangerous thing is, it appears to be working quite well. How about more use of "Web surfers", instead? I may be wrong, but do think it is an important part of the battle.

[edit: Doctor Four See Profile, stop reading my post previews! . Hey, how about Rule #1?]
eburger68
Premium Member
join:2001-04-28

1 edit

eburger68

Premium Member

Bobby:

You wrote:
said by Bobby_Peru:

Side Note: It may seem like quibbling, but consider that we are falling into a trap with the almost reflexive use of the term "consumer". That is exactly all these folks see every even somewhat sentient being, exactly what their dangerous and damaging activities are all about, and exactly how they desire us to also view ourselves, always (Security, 'tinfoil hats' and all, will take on a new meaning when Sony aims to beam sights, sounds into brain succeeds). The very dangerous thing is, it appears to be working quite well. How about more use of "Web surfers", instead? I may be wrong, but do think it is an important part of the battle.
Excellent point, and one that I, too, am most concerned about, as I think it important that we not be reduced to our roles as consumers. We are people, we are citizens, we are users, we are Netizens, we are web surfers.

I try to use a varied number of these terms when describing the victims of spyware and adware, because they are surely more than just "consumers." In many cases, even if they are "consumers," they were unwilling "consumers."

Best,

Eric L. Howes

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to eburger68

Premium Member

to eburger68
Mike Healan of SpywareInfo had a hypothetical future
scenario story posted on his site a while back should the
advertisers/marketers/adware companies get their way:
every single waking moment of your life would be
surrounded by advertising you couldn't ignore
nor turn off. Kind of like in Minority Report, but much,
much worse. And if you dared to even interfere or stop
those intrusive ads, you'd get arrested and hauled off
to prison.
Bobby_Peru
Premium Member
join:2003-06-16

Bobby_Peru

Premium Member

said by Shuten Doji:

... should the advertisers/marketers/adware companies get their way:
every single waking moment of your life would be surrounded by advertising you couldn't ignore nor turn off....
[Emphasis added]

Exactly, but what possible theory of maximization would allow one to fail to exploit all of those non-waking moments as well! Add an additional "revenue stream" by requiring payment for it, and perhaps greater payment for any slight 'pause in the deliverance' ("non-published" listings...) from it. To one degree or another, it's coming, if we let it.

The sad fact is that there are people in "PR" (and other) organizations that demonstrate again and again that they will do anything for money/power, including conducting mass propaganda campaigns designed to facilitate the death and destruction that is War. A tanker-load of crapware would hardly give them a pause.

"Following the money" to identify the benefactors that _could_ be swayed, and bringing pressure upon them to cease might be one course of action.
Scaramouche8
join:2004-09-10
Philippines

Scaramouche8 to eburger68

Member

to eburger68
I really don't have a lot of sympathy for these companies in this case (or any other case really). Affiliate marketing can hard to control and by choosing to use it irresponsibly you are basically saying "we do not care about our reputation, name, or safety and privacy of potential customers since we are now entrusting them to some of the most unethical people on the planet."

Saying a "rogue affiliate" did it while true, does not obviate the original company of responsibility in ANY way. Who chose the affiliate? Who is responsible for vetting the quality of affiliates? Who decides when there's too many affiliates to monitor effectively? Who is responsible for monitoring the affiliate? Who pays out to the affiliate?

In almost every case (albeit through some protective layers of corporate obfuscation) the original adware company is the answer to the above questions. If you can't control your own affiliate process you are either an idiot and shouldn't be in business anyway, or you are deliberately amoral and should be shut down.