Blue-chip companies are sponsoring more than TV shows and golf tournaments to promote their products: They are inadvertently underwriting computer spyware too.
Larry Ingram found that out last month after spyware infested computers owned by Minnesota’s Hennepin County. The uninvited software spewed ads for such companies as car maker Mercedes-Benz and online travel agency Travelocity.com.
Ingram, who oversees security for the county’s 11,000 computers, said those companies might have relied -- perhaps unknowingly -- on unscrupulous advertising middlemen.
But the software that invaded Hennepin County penetrated more than 500 other workplaces. Those spyware ads hint at how much of the cyber-world’s latest plague is financed in part by well-known companies.
Cash from blue-chip companies “drives much of the spyware polluting the Internet today,” said Joe Stewart, a Lurhq Corp. security researcher who traced the attack back to the underlying ads.
Spyware -- a term encompassing both ad-supported programs that users don’t want and more-virulent software that steals financial information -- is the leading complaint of computer owners. It often sneaks into computers when users download a piece of more desirable software, such as a screensaver or file-trading program. Once there, the software typically shows pop-up ads until a user can figure out how to uninstall it -- rarely an easy task.
A number of federal bills aim to restrict the worst practices of the scourge, which is increasingly cited as the greatest threat to the growth of electronic commerce. Yet deliberately or not, money for spyware comes from the coffers of Fortune 500 companies.
“We’re funding the business models because we don’t know any better,” said Clinton Schmidt, the director of online marketing at 1-800 Contacts Inc., a publicly traded Sandy, Utah-based company that bills itself as the world’s largest contact-lens store.
Mercedes-Benz USA and Travelocity said their pitches were placed in violation of company policies.
“We would not authorize anything installed in such a manner,” said Mercedes Internet marketing manager Lisa Cooper. She said the company had been testing a new ad network and hoped that the spyware appearance wouldn’t be repeated.
Travelocity spokesman Joel Frey said his company didn’t know about the incident until contacted by The Times.
“We can assure you that it is against our policies for ads to appear in unwanted software,” Frey said. “We’re working fast and hard to get to the root cause.”
That might be difficult. Unintended placement isn’t unusual on the decentralized Internet, advertising specialists said, because the merchants are often several steps removed from their own advertisements.
Here’s how it works:
Instead of buying ad space directly, companies usually dole out money to an agency. Those agencies often turn to outside buyers specializing in Internet marketing. And the buyers can split the funds even further, allocating some for banner ads paid for based on how many people view them; some for “pay-per-click” ads paid for based on the number of clicks for further information; and some for “pay-per-sale” ads, in which publishers of Web pages get a commission for electronically referring eventual buyers to the merchant.
In each of those cases, the Internet ad buyers can turn to advertising networks using thousands or even tens of thousands of so-called affiliates. The networks take a percentage of the spending and give another cut to the affiliates, which range from one-person Web retailers to major companies that distribute free, ad-supported software.
The problem is that the networks and the affiliates -- and the countless “sub-affiliates” working for the affiliates -- have an incentive to generate the most viewers, clicks and buyers they can. That leads some of them to trick people into installing spyware that produces a never-ending stream of come-ons.
If an affiliate slips a deceptive piece of software into someone’s personal computer and persuades the owner to buy something, the transaction could be passed through three or four businesses -- each taking a cut -- before the affiliate network hands off the customer to the merchant.
Some security experts estimate that spyware and its cousin, adware, generate $500 million to $2 billion a year in revenue for middlemen.
“The whole system seems like it’s been designed to reduce accountability,” said Ben Edelman, a Harvard graduate student who has testified before Congress on spyware practices. “It’s a nightmare of backroom deals.”
Schmidt, of 1-800 Contacts, said most merchants couldn’t tell what traffic was legitimate and what wasn’t. The affiliate networks, which could tell, often don’t bother. “They’re all taking the ‘hear no evil, see no evil’ approach,” Schmidt said.
Some companies try harder than others to police where their ads appear. Schmidt recently bought tools to check into his company’s biggest online referral claims and threw out a third of the commissions as improperly earned. The worst offender, he said, was a “drive-by download” that installed spyware without asking and then claimed credit when infected users went to the 1-800 Contacts website on their own.
Other companies don’t seem to care, said Elizabeth Cholawsky, a vice president at affiliate network Commission Junction, which had about $60 million in sales last year.
“Some advertisers,” she said, “just want a big program.”
That’s a common sentiment in what is again a booming market. Internet ad spending rose more than 30% to nearly $9.6 billion in 2004, according to the Interactive Advertising Bureau.
The Hennepin County case illustrates how that increasing pool of money is financing some inventive, if undesired, activity. Employees there were tricked with what’s called “pharming,” an insidious successor to “phishing.” In phishing attacks, con artists send official-looking e-mails to draw people to pages resembling established sites. With pharming, the e-mails aren’t needed.
When county workers typed a Web address such as Google.com, their desktop computers contacted a central machine in the internal network that is supposed to translate the letters into a numerical address for a computer at Google.
But in the largest incident of pharming to date, unknown hackers had scanned thousands of such machines around the country, looking for firms that hadn’t fixed a flaw in older versions of Microsoft Corp. software. They then fed misinformation to the flawed machines, duping them into sending employees to stand-ins for many popular websites.
The impostor sites presented browsers with commercially oriented search engines like those that can appear when users mistype common website names, as in yhoo.com and ebya.com. Depending on what users said they were looking for, such as cars or airplane tickets, the search engines took visitors to ads including those for Mercedes and Travelocity.
The invisible glue between one search engine and those ads -- identified by Stewart through the electronic codes being transmitted -- was a pay-per-click advertising network called FindWhat.com Inc. FindWhat gets paid every time someone clicks on an ad for a merchant, and Web businesses that refer him or her to FindWhat also get a fee -- including, in this case, a business apparently tied to the hackers.
“The big-name companies are advertising on legitimate networks that utilize pay-per-click search engines to drive traffic,” Stewart said. “Unfortunately, the pay-per-click model lends itself to abuse by rogue affiliates who will hijack users.”
FindWhat President Phillip Thune said an affiliate’s sub-affiliate, which had since been dismissed, had violated FindWhat’s policies in pursuit of a referral fee. But a spokeswoman said the publicly traded Fort Myers, Fla., company never learned who the sub-affiliate was and couldn’t be sure the main affiliate wouldn’t strike a similar deal soon -- even with the same sub-affiliate.
That doesn’t impress activists like Edelman, who say FindWhat affiliates have left their calling cards in other unwanted software.
“That happens to FindWhat over and over,” Edelman said. “They’ve allowed it to fester to make them money.”
Some of the biggest search companies, including Yahoo Inc., are also putting money behind programs some consumers can’t stand. Yahoo’s Overture ad division, recently renamed Yahoo Search Marketing, has a long-standing relationship with Claria Corp., an ad-supported company that installs pop-up ad software. Yahoo places copies of its clients’ ads on Claria, splitting revenue that results from that business. In a withdrawn filing for a public stock sale last year, Claria said the arrangement brought in 31% of its $90 million in 2003 revenue.
“That means they’re making Overture a lot of money as well,” said Gary Stein, a Net advertising analyst at Jupitermedia Corp. “Companies have issues with Claria, but I don’t imagine it would go away.”
Goldman Sachs last week estimated that Yahoo took in $20 million annually from Claria and Intermix Media Inc., an adware company recently sued by New York Atty. Gen. Eliot Spitzer. A Yahoo spokeswoman said Claria met the company’s standards for informing users what it was doing.
Claria and its largest competitors -- 180Solutions Inc., WhenU.com Inc. and DirectRevenue -- disclaim the spyware label, calling their programs “adware.” But all have been faulted for vague or insufficient disclosures to consumers and for making their programs difficult to remove from computers.
Claria’s software, for example, usually isn’t listed by name in the “add/remove programs” menu on computers, making it harder to delete. And users who click on ads for Claria products see installation screens that don’t say what will happen to their computers until after the user indicates that they accept.
Claria Chief Marketing Officer Scott Eagle said the company had recently made its terms clearer and its removal easier.
Claria competitor 180Solutions makes pop-up software that is installed automatically through browser security holes. Although the firm said it was cracking down on that practice, it still offers bounties for each installation, a model that analyst Stein said encourages “all kinds of sneaky tactics.” Recent 180Solutions ads ran on behalf of J.P. Morgan Chase and Disney.
“Most of their advertisers are mainstream companies,” said Ari Schwartz, associate director of the Center for Democracy and Technology, a nonprofit public policy group.
Just as not all merchants care how they get their business, not all affiliate networks are equally strict. Take Commission Junction, which is owned by Westlake Village-based ValueClick Inc. and drives computer users to Citigroup Inc.'s Citibank, Home Depot Inc. and IBM Corp.
Until this month, Commission Junction’s 70,000 affiliates included 180Solutions and a firm called Exact Advertising, which makes a “Bargain Buddy” pop-up that has been installed through a security flaw in Web browsers. Bargain Buddy recently carried ads for 1,000 merchants, including Dell Inc., British Airways and Gap Inc.
After The Times asked about the practices of Exact Advertising and 180Solutions, Commission Junction said it was going to stop doing business with both.
Some say fed-up computer users are the ultimate police force. Dell, the world’s largest maker of personal computers, withdrew its advertising from the biggest adware companies a year ago. It quit working with Exact Advertising last month after customers complained.
When Dell’s anti-spam or anti-spyware policies are abused, Dell spokeswoman Jennifer Davis said, “if we don’t find out about it, a customer is going to tell us.” But others, including Lurhq’s Stewart, don’t think consumers understand enough about what’s going on to pressure the blue-chip firms.
Far from fighting back, he said, “before long, they’ll start to think the Internet is supposed to have pop-up ads on every page.”