THE PLOT TO HIJACK YOUR COMPUTER

  • cartridgewebsite-com-big-banner-02-09-07-2016
  • 161213_banner_futorag_902x177px
  • 2toner1-2
  • mse-big-banner-new-03-17-2016-416716a-tonernews-web-banner-mse-212
  • futor_902x177v7-tonernew
  • ink-direct-banner-902-x-177-v-1-2-big-banner-03-23-2017
  • banner-01-26-17b
  • clover-depot-intl-us-ca-email-signature-05-10-2017-902x1772
  • 05 02 2016 429716a-cig-clearchoice-banner-902x177
  • Print
  • 4toner4
Share

THE PLOT TO HIJACK YOUR COMPUTER

 user 2006-07-10 at 10:36:00 am Views: 75
  • #15940

    The Plot To Hijack Your Computer
    They
    watch you surf the Web. They plague you with pop-up ads. Then they
    cripple your hard driveConsumers have strong opinions about Direct
    Revenue’s software. “If I ever meet anyone from your company, I will
    kill you,” a person who identified himself as James Chang said in an
    e-mail to Direct Revenue last summer. “I will f—— kill you and your
    families.” Such sentiments aren’t unusual. “You people are EVIL
    personified,” Kevin Horton wrote around the same time. “I would like
    the four hours of my life back I have wasted trying to get your stupid
    uninvited software off my now crippled system.”Sifting through a stack
    of customer complaints in June, 2005, a Direct Revenue employee decided
    to tally the most frequently used words of aggression: “die” (103
    times), “f——” (44), and “kill” (15). Douglas Kee, then Direct
    Revenue’s chief of quality assurance (QA), ribbed colleagues in an
    e-mail that with all the death threats, it was a “good thing QA sits
    farthest away from the entrance.”According to angry consumers and the
    New York State Attorney General, Direct Revenue makes “spyware.” These
    programs track where you go on the Internet and clutter your screen
    with annoying pop-up advertisements for everything from pornography to
    wireless phone plans. Spyware can get stuck in your computer’s hard
    drive as you shop, chat, or download a song. It might arrive attached
    to that clever video you just nabbed at no charge. Web security company
    McAfee Inc. (MFE ) estimates that nearly three-quarters of all sites
    listed in response to Internet searches for popular phrases like “free
    screen savers” or “digital music” attempt to install some form of
    advertising software in visitors’ computers. Once lodged there, spyware
    can sap a PC’s processing power, slow its functioning, and even cause
    it to crash.This explains the vitriol aimed at Direct Revenue. The
    company, located in a loft above a clothing boutique in New York’s hip
    SoHo district, has been a pioneer in a seamy corner of the booming Net
    advertising industry. Although it is small by some corporate standards,
    having generated sales of about $100 million since its start in 2002,
    its programs have burrowed into nearly 100 million computers and
    produced billions of pop-up ads.Direct Revenue’s swift rise illustrates
    the intertwining of spyware and mainstream online marketing. The Web is
    the hottest game in advertising, but what’s rarely acknowledged is the
    extent to which unsavory pop-ups boost the returns. Here’s how it often
    works: Sellers of advertising, ranging from giant Yahoo! Inc. (YHOO )
    to much smaller networks, recruit clients, tally the clicks their ads
    generate, and charge accordingly. But then Yahoo and the other
    advertising companies sign up partners that distribute the ads beyond
    their own sites in return for a fee, and those partners sign up other
    partners. Down the line, a big piece of the business winds up in the
    hands of outfits like Direct Revenue, which disseminate the ads as
    pop-ups and share revenue with their more mainstream partners. Some
    advertisers say their messages have appeared in pop-ups without their
    permission. Others seek out pop-ups, and Direct Revenue frequently
    sells ads directly to such advertisers.Spyware rakes in an estimated $2
    billion a year in revenue, or about 11% of all Internet ad business,
    says the research firm IT-Harvest. Direct Revenue’s direct customers
    have included such giants as Delta Air Lines (DALRQ ) and Cingular
    Wireless. It has sold millions of dollars of advertising passed along
    by Yahoo. And Direct Revenue has received venture capital from the
    likes of Insight Venture Partners, a respected New York investment firm.
    SPREADING STRATEGY
    Many
    of those impressive ties have frayed or ripped apart recently as Direct
    Revenue has struggled to fend off a lawsuit filed in April by New York
    Attorney General Eliot Spitzer. The state court action alleges that
    Direct Revenue crossed a legal line by installing advertising programs
    in millions of computers without users’ consent. Shining a light on the
    shadowy spyware trade, the suit asserts that the company violated New
    York civil laws against false advertising, computer tampering, and
    trespassing.This article is based in part on more than 1,000 pages of
    Direct Revenue’s internal e-mail and other documents included in court
    filings. BusinessWeek has reviewed additional documents and interviewed
    dozens of industry insiders, including 12 current and former Direct
    Revenue employees and executives.The company denies any wrongdoing. In
    a filing in June, it calls the Spitzer suit “much ado about nothing”
    and defends its past practices as “commonplace” in the industry. It
    calls its programs “adware” and says it has notified consumers when
    putting the programs on their computers. It insists that some of the
    methods Spitzer assails “were long ago changed.” And it argues that by
    accepting its ads, consumers get popular software applications free of
    charge that otherwise can cost up to $30 apiece.In the wake of the
    litigation, Direct Revenue has shrunk in size, but it remains an
    important player on the spyware scene. Thousands of people still
    complain each month to Web security firms about new computer infections
    caused by Direct Revenue programs (although many users are baffled
    about what’s causing the maladies). And a new generation of spyware
    purveyors of equal or greater potency is imitating Direct Revenue’s
    strategies, infuriating customers, and threatening to taint the larger
    business of online advertising. Chances are you have some of their
    handiwork hidden within your hard drive right now.
    SPAM KING
    Direct
    Revenue’s origins trace the rise of what might politely be called one
    of the more freewheeling sectors of Internet commerce. The company’s
    sales philosophy, according to current and former employees, was
    heavily shaped by Jesse Stein, a Wharton School-educated marketer whose
    successes before joining the company included selling VigRX, an herbal
    penile-enlargement supplement. VigRX may sound familiar because, to win
    customers, Stein inundated e-mail in-boxes with spam promoting the
    product. In 2003, when the ABC News (DIS ) 20/20 program identified
    what it said were the biggest online spammers, it featured VigRX and
    showed one of Stein’s e-mails. He reveled in the notoriety. On his desk
    at Direct Revenue, Stein, now 36, kept a framed 20/20 screen shot of
    his VigRX spam, former colleagues say.His eventual boss, Joshua Abram,
    came to online hawking from a different angle. His family has a rich
    history of public service. Abram’s late father, Morris, was a civil
    rights activist in the 1960s who later served as president of Brandeis
    University and U.S. ambassador to the U.N. under President George H.W.
    Bush. Joshua’s sister, Ruth, heads the Lower East Side Tenement Museum
    in New York.In 1999 Joshua Abram helped start Dash.com, a benign
    precursor to later spyware operations. Dash attached an unobtrusive
    horizontal bar to the bottom of a computer user’s Web browser. As the
    user moved around the Internet, Dash would note the sites being visited
    and offer relevant text ads inside the narrow bar. Dash went out of its
    way to ask users’ permission to install the ad bar, and the company
    even shared its fees with consumers who made purchases. But Dash’s
    tactful text ads drew relatively few clicks, and its fee-sharing became
    an administrative nightmare. As the Internet market imploded in 2001,
    Dash folded.Abram, known for wearing stylish suits amid a sea of techie
    grunge, kept developing ad software with several colleagues. They
    joined a broad post-bust move toward treating customers with less
    respect. One of the new spyware variants he helped create was called
    VX2, which a former colleague and computer security professionals
    believe was named after the deadly, undetectable VX nerve agent. In
    2002, Abram, a father of two and husband of a fashion-industry
    executive, started Direct Revenue. His co-founders were fellow Dash
    alumnus Daniel Kaufman and a pair of data-mining entrepreneurs from a
    company called Pipe9, Alan Murray and Rodney Hook. The next year,
    Direct Revenue did business with and then acquired Stein’s online ad
    agency, forming a spyware powerhouse. Stein declined to comment. The
    four founders didn’t respond to numerous inquiries.By early 2004,
    Direct Revenue, with Abram as CEO, had settled into its SoHo loft,
    employing two dozen programmers and salespeople. Current and former
    staff members say the place had an informal, often cynical atmosphere.
    The unsophisticated computer users subjected to Direct Revenue’s ads
    had a nickname among some staffers: “trailer cash.”Knowledgeable
    consumers can reduce the risk of spyware infection by using widely
    available security software and steering clear of free online goodies.
    Direct Revenue and its rivals — companies with such names as eXact
    Advertising and Zango — say they employ “user agreements” that notify
    individuals when they are about to download their software. But the
    agreements typically can be found only by clicking on links deep within
    separate legal agreements related to the online freebies. The documents
    tend to be lengthy and opaque. Large numbers of Internet users who lack
    adequate security software and fail to read the legalese make
    themselves vulnerable.
    SPY VS. SPY
    Once
    embedded in your hard drive, spyware communicates via the Internet with
    the company that produced it. The company’s computer keeps track of
    your online meanderings and sends you pop-up ads relevant to the sites
    you visit. The travel-booking sites Travelocity (TSG ) and
    Priceline.com (PCLN ) have both been direct customers of Direct
    Revenue. People who picked up Direct Revenue spyware and then perused
    flights on Travelocity might find their screens obstructed by a pop-up
    for Priceline, or vice-versa. The travel sites say they stopped doing
    business with the company earlier this year.Direct Revenue and other ad
    software creators struggle to balance an impulse to pump out waves of
    profitable pop-ups against the danger of enraging consumers who lose
    control of their computers. “Most of these companies can’t overcome
    their desire to make the most money right away,” says Sam Curry,
    vice-president for product management at Computer Associates
    International Inc. in Islandia, N.Y. (CA )From early on, a small group
    of programmers at Direct Revenue focused on how to protect their
    employer’s programs once they were lodged in a computer, current and
    former employees say. The team called itself Dark Arts after the term
    for evil magic in the Harry Potter series. One of the biggest threats
    Dark Arts addressed came from competing software. The presence of
    multiple spyware programs can so cripple a computer that no ads manage
    to get seen.Dark Arts crafted software “torpedoes” that blasted rival
    spyware off computers’ hard drives. Competitors aimed similar weapons
    back at Direct Revenue’s software, but few could match the wizardry of
    Dark Arts. One adversary, Avenue Media, filed suit in federal court in
    Seattle in 2004, alleging that in a matter of days, Direct Revenue
    torpedoes had cut in half the number of people using one of Avenue
    Media’s programs. The suit settled without money changing hands,
    according to an attorney for Avenue Media, which is based in Curaçao.
    “This is ad warfare,” explains former Direct Revenue product manager
    Reza Khan. “Only the toughest and stickiest codes survive.”In light of
    the Dark Arts stratagems, Direct Revenue management in early 2004
    procured from its lawyers a modified user agreement that would
    supposedly be shown to PC owners. Within the densely written seven-page
    document was a declaration that Direct Revenue “could remove, disable,
    or render inoperative other adware programs resident on your computer,
    which, in turn, may…have other adverse impacts on your
    computer.”Abram presented the new agreement to his troops with an
    impudence befitting the Dark Arts crew. “It’s a lawyer-approved license
    to kill,” the CEO said in a February, 2004, e-mail. He urged some
    restraint because at the time potential investors were examining the
    company: “I would think twice about going too aggressively on the
    offense during [due] diligence.” But he added: “Obviously, if we find
    someone is slaughtering us in the interim, we should not wait to
    counter.”"It was like a big game of Dungeons & Dragons,” a current
    Direct Revenue manager says, and it was becoming lucrative. An ad
    software shop generally charges advertisers up to a penny a day for
    each computer that showcases its ads. A company with access to 10
    million computers can make about $100,000 a day. With its “install
    base” soaring to more than 20 million computers by late 2004, Direct
    Revenue’s annual sales rose 450%, to $39 million. Its four founders
    took home a combined $23 million, with Abram enjoying the biggest
    share: $8.1 million.This cash geyser drew investors’ attention. Insight
    Venture Partners, which has among its advisers Robert E. Rubin, former
    Treasury Secretary and now chairman of the executive committee at
    Citigroup (C ), poured in $27 million, court filings show. Andrew J.
    Levander, a lawyer for Insight, says the firm’s pre- investment due
    diligence “did not raise any issues concerning the lawfulness of Direct
    Revenue’s disclosure and distribution practices.” Rubin wasn’t involved
    with the investment, Levander says. When Insight learns of complaints,
    he adds, it works with the company to address them.Complaints were
    certainly not in short supply. “You have 24 hours to provide me with a
    removal tool for your piece of crap spyware program,” Joe LoMoglio
    e-mailed the company in September, 2004. “Your pop-up ads popped up a
    few porn sites while my 6- and 9-year-old children were using the
    computer.” Reached by e-mail, LoMoglio says the company “refused to
    respond.”As Direct Revenue surged in late 2004, its hyperactive sales
    force profited as well. Several top performers took home more than
    $300,000 apiece that year, current and former employees say, and a
    celebratory mood enveloped the fourth-floor ad-sales department. On
    Friday afternoons, employees opened bottles of beer, and Paul Nute, a
    top sales executive, occasionally blasted the pop song Everybody’s
    Working for the Weekend.Nute had a trademark line for corporate sales
    pitches, according to current and former sales employees. “It’s like
    crack,” he would say. “Once you try it, you’ll keep coming back for
    more.” Nute declined to comment.By early 2005, Direct Revenue had
    notched deals with JPMorgan Chase, Delta, and the Internet phone
    company Vonage, according to former sales staffers and Direct Revenue
    documents. Cingular Wireless spent more than $100,000 a month at the
    peak of its relationship with Direct Revenue, current and former
    employees say. Direct Revenue put Cingular pop-ups in front of other
    phone companies’ Web sites and news sites such as the one affiliated
    with tech magazine Wired. Vonage, meanwhile, was billed $110 for each
    customer that Direct Revenue delivered, according to a sales report
    from July, 2005. For that month, Direct Revenue billed Vonage for 287
    new customers, or $31,570.JPMorgan Chase confirms that it advertised
    with a Direct Revenue unit through the middle of last year, but says it
    was unaware of any spyware activity. Delta and Cingular declined to
    comment. Vonage didn’t respond to inquiries.
    NO MORE MR. NICE GUY
    By
    mid-2005, Direct Revenue had grown to more than 100 employees, and its
    practices were drawing public notice. Bloggers, invoking the right to
    be free of uninvited ads, singled out Direct Revenue. Benjamin Edelman,
    a prominent Internet consultant and spyware foe in Cambridge, Mass.,
    tried to shame advertisers away from Direct Revenue by displaying on
    his site the names of companies that appeared in Direct Revenue
    pop-ups. Jules Neuringer, owner of Portronix, a Brooklyn (N.Y.)
    computer-service firm, says that during this period about a dozen of
    his small-business clients complained about Direct Revenue spyware. Of
    these, he says he “was never able to bring an infected computer back to
    pristine operating condition.”Direct Revenue insiders knew they were
    alienating consumers and even made tentative moves to clean up their
    act, court filings show. But when the result was fewer people getting
    stuck with its software, Direct Revenue pulled back from reforms.In
    early 2005 the company was bundling its products with a file-sharing
    program called Morpheus, which users could download onto their
    computers. Morpheus required that Direct Revenue make its software easy
    to spot in a computer’s “Add/Remove” panel, which is the registry where
    a user can find most legitimate software and delete it. Direct Revenue
    agreed at first but after a few months noticed that thousands of new
    users it gained via Morpheus were quickly deleting the ad software.
    Kaufman, a co-founder of Direct Revenue, sent an e-mail to colleagues
    in February, 2005, saying the company should drop the Mr. Nice Guy
    routine. “We need to experiment with less user-friendly uninstall
    methodologies,” he wrote. The distribution agreement with Morpheus
    ended within three months.
    MASS PARALYSIS
    The
    same ambivalence was evident in April, 2005, when Direct Revenue
    released a concoction known as Aurora. The program clearly labeled ads
    as coming from the company, a gesture designed to build credibility.
    But Aurora had powerful features that fought off competing spyware and
    security programs. The company also raised the number of pop-ups it
    sent users to as many as 30 a day.Disaster ensued, as Aurora paralyzed
    thousands of computers. Matt Oettinger, who ran media operations at
    Fastclick (VCLK ), an advertising network that bought ads from Direct
    Revenue, found his home PC afflicted by Aurora, e-mails in court
    filings show. In June he ordered all Fastclick ads disentangled from
    Aurora. Branko Krmpotic, the managing director of Technology Investment
    Capital Corp. (TICC) (TICC ), which had invested $6.7 million in Direct
    Revenue, also caught the Aurora bug and couldn’t kill it, according to
    e-mails. Eventually, Direct Revenue had to send its customer support
    director to fix Krmpotic’s machine. After receiving complaints about
    Aurora, Insight Venture, another major investor, told the company to
    remove Insight’s name from the Direct Revenue Web site. Fastclick
    declined to comment; Krmpotic didn’t return calls.Even Aurora’s
    creators fell victim as the program froze computers at Direct Revenue.
    One sales staffer, Judit Major, documented receiving more than 30
    pop-up ads in one day, according to e-mails. Her computer crashed four
    times. “We are serving WAY TOO MANY pops per hour,” wrote Chief
    Technology Officer Daniel Doman in a June e-mail to the company’s
    brass. “If we overdo it, we will really drive users to get us the hell
    [off] their machine. We need to BACK OFF or we will kill our base.”By
    then consumer complaints were pouring in to Attorney General Spitzer’s
    office. He filed suit in April, after his staff had hauled away 150
    boxes of the company’s e-mails. Spitzer alleges that he found numerous
    examples of Direct Revenue spyware downloaded with misleading user
    agreements or no disclosure at all. In many cases, the download was
    performed by a distributor on behalf of Direct Revenue, but company
    executives repeatedly conceded in e-mail that users were in the dark
    about how its programs got into their computers. This, Spitzer argues,
    amounts to illegal deception.
    PERSISTENT HEADACHES
    A
    Direct Revenue spokesman, Michael Spinney, says the company is
    “mystified” by Spitzer’s allegations. It cleansed its practices more
    than nine months ago, Spinney says, and now puts its name on all its
    pop-up ads. It also now makes its software available for deletion in a
    computer’s Add/Remove Programs registry and has limited its use of
    distributors. Before these changes, Spinney asserts, Direct Revenue
    employed practices common in its industry. He wouldn’t comment on
    Spitzer’s individual allegations.The anti-spyware activists and
    computer security firms confirm that Direct Revenue has dropped its
    most destructive programs, such as Aurora. But they emphasize that the
    company continues to cause serious headaches. Tokyo’s Trend Micro Inc.
    (TMIC ) offers an online service that scans customers’ troubled
    computers. In April it identified Direct Revenue’s spyware as the
    culprit in 9,400 computer scans. That’s down from 14,000 in January,
    but it represents a substantial level of annoyance. “Direct Revenue is
    still on everyone’s top 10″ of reviled spyware companies, says Anthony
    Arrott, Trend Micro’s spyware research manager.Deborah Maradei-Ugel, a
    loan officer in Santa Clarita, Calif., says she receives more than 20
    pop-ups a day on her home computer as a result of Direct Revenue
    spyware. She complained to the company, but removal instructions it
    sent her are impossible to follow, she says. Her machine frequently
    stalls and requires restarting. “You hit your computer,” she fumes,
    “but it doesn’t help.”The way Direct Revenue describes its software
    during the download process remains vague and misleading, Edelman and
    other critics say. The company now bundles ad programs with Kazaa, an
    online service offering music and other digital content. Kazaa gives
    users a choice between a $30 version of its program and a free version
    labeled “ad supported.” But few ordinary consumers would understand
    that ad-supported means they get separate software from Direct Revenue
    that will monitor them online and serve a steady stream of pop-ups,
    Edelman says. Kazaa declined to comment.Direct Revenue has lost
    business and reduced its headcount to a couple dozen employees. The
    four founders still own 55% of the company, according to Spitzer’s
    filing, and Abram is still seen around the office in his sharp suits.
    But he no longer serves as CEO. Sales gurus Stein and Nute have moved
    on to another Internet venture. Many major companies, such as Cingular
    and Yahoo, have severed connections with Direct Revenue. But the ads of
    others, including Vonage, continue to appear in Direct Revenue pop-ups.
    Insight and TICC remain investorsAmong Direct Revenue’s alumni, pride
    over technical cunning mingles with regret for exasperating so many
    computer users. After waffling on the issue during a long interview,
    one former Dark Arts wizard sighs and sums up his version of the
    company credo with an elegiac observation by abolitionist Frederick
    Douglass: “Find out just what any people will quietly submit to and you
    have found out the exact measure of injustice and wrong which will be
    imposed upon them.”