THE PLOT TO HIJACK YOUR COMPUTER

[Anonymous]

The Plot To Hijack Your Computer
They
watch you surf the Web. They plague you with pop-up ads. Then they
cripple your hard driveConsumers have strong opinions about Direct
Revenue’s software. “If I ever meet anyone from your company, I will
kill you,” a person who identified himself as James Chang said in an
e-mail to Direct Revenue last summer. “I will f—— kill you and your
families.” Such sentiments aren’t unusual. “You people are EVIL
personified,” Kevin Horton wrote around the same time. “I would like
the four hours of my life back I have wasted trying to get your stupid
uninvited software off my now crippled system.”Sifting through a stack
of customer complaints in June, 2005, a Direct Revenue employee decided
to tally the most frequently used words of aggression: “die” (103
times), “f——” (44), and “kill” (15). Douglas Kee, then Direct
Revenue’s chief of quality assurance (QA), ribbed colleagues in an
e-mail that with all the death threats, it was a “good thing QA sits
farthest away from the entrance.”According to angry consumers and the
New York State Attorney General, Direct Revenue makes “spyware.” These
programs track where you go on the Internet and clutter your screen
with annoying pop-up advertisements for everything from pornography to
wireless phone plans. Spyware can get stuck in your computer’s hard
drive as you shop, chat, or download a song. It might arrive attached
to that clever video you just nabbed at no charge. Web security company
McAfee Inc. (MFE ) estimates that nearly three-quarters of all sites
listed in response to Internet searches for popular phrases like “free
screen savers” or “digital music” attempt to install some form of
advertising software in visitors’ computers. Once lodged there, spyware
can sap a PC’s processing power, slow its functioning, and even cause
it to crash.This explains the vitriol aimed at Direct Revenue. The
company, located in a loft above a clothing boutique in New York’s hip
SoHo district, has been a pioneer in a seamy corner of the booming Net
advertising industry. Although it is small by some corporate standards,
having generated sales of about $100 million since its start in 2002,
its programs have burrowed into nearly 100 million computers and
produced billions of pop-up ads.Direct Revenue’s swift rise illustrates
the intertwining of spyware and mainstream online marketing. The Web is
the hottest game in advertising, but what’s rarely acknowledged is the
extent to which unsavory pop-ups boost the returns. Here’s how it often
works: Sellers of advertising, ranging from giant Yahoo! Inc. (YHOO )
to much smaller networks, recruit clients, tally the clicks their ads
generate, and charge accordingly. But then Yahoo and the other
advertising companies sign up partners that distribute the ads beyond
their own sites in return for a fee, and those partners sign up other
partners. Down the line, a big piece of the business winds up in the
hands of outfits like Direct Revenue, which disseminate the ads as
pop-ups and share revenue with their more mainstream partners. Some
advertisers say their messages have appeared in pop-ups without their
permission. Others seek out pop-ups, and Direct Revenue frequently
sells ads directly to such advertisers.Spyware rakes in an estimated $2
billion a year in revenue, or about 11% of all Internet ad business,
says the research firm IT-Harvest. Direct Revenue’s direct customers
have included such giants as Delta Air Lines (DALRQ ) and Cingular
Wireless. It has sold millions of dollars of advertising passed along
by Yahoo. And Direct Revenue has received venture capital from the
likes of Insight Venture Partners, a respected New York investment firm.
SPREADING STRATEGY
Many
of those impressive ties have frayed or ripped apart recently as Direct
Revenue has struggled to fend off a lawsuit filed in April by New York
Attorney General Eliot Spitzer. The state court action alleges that
Direct Revenue crossed a legal line by installing advertising programs
in millions of computers without users’ consent. Shining a light on the
shadowy spyware trade, the suit asserts that the company violated New
York civil laws against false advertising, computer tampering, and
trespassing.This article is based in part on more than 1,000 pages of
Direct Revenue’s internal e-mail and other documents included in court
filings. BusinessWeek has reviewed additional documents and interviewed
dozens of industry insiders, including 12 current and former Direct
Revenue employees and executives.The company denies any wrongdoing. In
a filing in June, it calls the Spitzer suit “much ado about nothing”
and defends its past practices as “commonplace” in the industry. It
calls its programs “adware” and says it has notified consumers when
putting the programs on their computers. It insists that some of the
methods Spitzer assails “were long ago changed.” And it argues that by
accepting its ads, consumers get popular software applications free of
charge that otherwise can cost up to $30 apiece.In the wake of the
litigation, Direct Revenue has shrunk in size, but it remains an
important player on the spyware scene. Thousands of people still
complain each month to Web security firms about new computer infections
caused by Direct Revenue programs (although many users are baffled
about what’s causing the maladies). And a new generation of spyware
purveyors of equal or greater potency is imitating Direct Revenue’s
strategies, infuriating customers, and threatening to taint the larger
business of online advertising. Chances are you have some of their
handiwork hidden within your hard drive right now.
SPAM KING
Direct
Revenue’s origins trace the rise of what might politely be called one
of the more freewheeling sectors of Internet commerce. The company’s
sales philosophy, according to current and former employees, was
heavily shaped by Jesse Stein, a Wharton School-educated marketer whose
successes before joining the company included selling VigRX, an herbal
penile-enlargement supplement. VigRX may sound familiar because, to win
customers, Stein inundated e-mail in-boxes with spam promoting the
product. In 2003, when the ABC News (DIS ) 20/20 program identified
what it said were the biggest online spammers, it featured VigRX and
showed one of Stein’s e-mails. He reveled in the notoriety. On his desk
at Direct Revenue, Stein, now 36, kept a framed 20/20 screen shot of
his VigRX spam, former colleagues say.His eventual boss, Joshua Abram,
came to online hawking from a different angle. His family has a rich
history of public service. Abram’s late father, Morris, was a civil
rights activist in the 1960s who later served as president of Brandeis
University and U.S. ambassador to the U.N. under President George H.W.
Bush. Joshua’s sister, Ruth, heads the Lower East Side Tenement Museum
in New York.In 1999 Joshua Abram helped start Dash.com, a benign
precursor to later spyware operations. Dash attached an unobtrusive
horizontal bar to the bottom of a computer user’s Web browser. As the
user moved around the Internet, Dash would note the sites being visited
and offer relevant text ads inside the narrow bar. Dash went out of its
way to ask users’ permission to install the ad bar, and the company
even shared its fees with consumers who made purchases. But Dash’s
tactful text ads drew relatively few clicks, and its fee-sharing became
an administrative nightmare. As the Internet market imploded in 2001,
Dash folded.Abram, known for wearing stylish suits amid a sea of techie
grunge, kept developing ad software with several colleagues. They
joined a broad post-bust move toward treating customers with less
respect. One of the new spyware variants he helped create was called
VX2, which a former colleague and computer security professionals
believe was named after the deadly, undetectable VX nerve agent. In
2002, Abram, a father of two and husband of a fashion-industry
executive, started Direct Revenue. His co-founders were fellow Dash
alumnus Daniel Kaufman and a pair of data-mining entrepreneurs from a
company called Pipe9, Alan Murray and Rodney Hook. The next year,
Direct Revenue did business with and then acquired Stein’s online ad
agency, forming a spyware powerhouse. Stein declined to comment. The
four founders didn’t respond to numerous inquiries.By early 2004,
Direct Revenue, with Abram as CEO, had settled into its SoHo loft,
employing two dozen programmers and salespeople. Current and former
staff members say the place had an informal, often cynical atmosphere.
The unsophisticated computer users subjected to Direct Revenue’s ads
had a nickname among some staffers: “trailer cash.”Knowledgeable
consumers can reduce the risk of spyware infection by using widely
available security software and steering clear of free online goodies.
Direct Revenue and its rivals — companies with such names as eXact
Advertising and Zango — say they employ “user agreements” that notify
individuals when they are about to download their software. But the
agreements typically can be found only by clicking on links deep within
separate legal agreements related to the online freebies. The documents
tend to be lengthy and opaque. Large numbers of Internet users who lack
adequate security software and fail to read the legalese make
themselves vulnerable.
SPY VS. SPY
Once
embedded in your hard drive, spyware communicates via the Internet with
the company that produced it. The company’s computer keeps track of
your online meanderings and sends you pop-up ads relevant to the sites
you visit. The travel-booking sites Travelocity (TSG ) and
Priceline.com (PCLN ) have both been direct customers of Direct
Revenue. People who picked up Direct Revenue spyware and then perused
flights on Travelocity might find their screens obstructed by a pop-up
for Priceline, or vice-versa. The travel sites say they stopped doing
business with the company earlier this year.Direct Revenue and other ad
software creators struggle to balance an impulse to pump out waves of
profitable pop-ups against the danger of enraging consumers who lose
control of their computers. “Most of these companies can’t overcome
their desire to make the most money right away,” says Sam Curry,
vice-president for product management at Computer Associates
International Inc. in Islandia, N.Y. (CA )From early on, a small group
of programmers at Direct Revenue focused on how to protect their
employer’s programs once they were lodged in a computer, current and
former employees say. The team called itself Dark Arts after the term
for evil magic in the Harry Potter series. One of the biggest threats
Dark Arts addressed came from competing software. The presence of
multiple spyware programs can so cripple a computer that no ads manage
to get seen.Dark Arts crafted software “torpedoes” that blasted rival
spyware off computers’ hard drives. Competitors aimed similar weapons
back at Direct Revenue’s software, but few could match the wizardry of
Dark Arts. One adversary, Avenue Media, filed suit in federal court in
Seattle in 2004, alleging that in a matter of days, Direct Revenue
torpedoes had cut in half the number of people using one of Avenue
Media’s programs. The suit settled without money changing hands,
according to an attorney for Avenue Media, which is based in Curaçao.
“This is ad warfare,” explains former Direct Revenue product manager
Reza Khan. “Only the toughest and stickiest codes survive.”In light of
the Dark Arts stratagems, Direct Revenue management in early 2004
procured from its lawyers a modified user agreement that would
supposedly be shown to PC owners. Within the densely written seven-page
document was a declaration that Direct Revenue “could remove, disable,
or render inoperative other adware programs resident on your computer,
which, in turn, may…have other adverse impacts on your
computer.”Abram presented the new agreement to his troops with an
impudence befitting the Dark Arts crew. “It’s a lawyer-approved license
to kill,” the CEO said in a February, 2004, e-mail. He urged some
restraint because at the time potential investors were examining the
company: “I would think twice about going too aggressively on the
offense during [due] diligence.” But he added: “Obviously, if we find
someone is slaughtering us in the interim, we should not wait to
counter.””It was like a big game of Dungeons & Dragons,” a current
Direct Revenue manager says, and it was becoming lucrative. An ad
software shop generally charges advertisers up to a penny a day for
each computer that showcases its ads. A company with access to 10
million computers can make about $100,000 a day. With its “install
base” soaring to more than 20 million computers by late 2004, Direct
Revenue’s annual sales rose 450%, to $39 million. Its four founders
took home a combined $23 million, with Abram enjoying the biggest
share: $8.1 million.This cash geyser drew investors’ attention. Insight
Venture Partners, which has among its advisers Robert E. Rubin, former
Treasury Secretary and now chairman of the executive committee at
Citigroup (C ), poured in $27 million, court filings show. Andrew J.
Levander, a lawyer for Insight, says the firm’s pre- investment due
diligence “did not raise any issues concerning the lawfulness of Direct
Revenue’s disclosure and distribution practices.” Rubin wasn’t involved
with the investment, Levander says. When Insight learns of complaints,
he adds, it works with the company to address them.Complaints were
certainly not in short supply. “You have 24 hours to provide me with a
removal tool for your piece of crap spyware program,” Joe LoMoglio
e-mailed the company in September, 2004. “Your pop-up ads popped up a
few porn sites while my 6- and 9-year-old children were using the
computer.” Reached by e-mail, LoMoglio says the company “refused to
respond.”As Direct Revenue surged in late 2004, its hyperactive sales
force profited as well. Several top performers took home more than
$300,000 apiece that year, current and former employees say, and a
celebratory mood enveloped the fourth-floor ad-sales department. On
Friday afternoons, employees opened bottles of beer, and Paul Nute, a
top sales executive, occasionally blasted the pop song Everybody’s
Working for the Weekend.Nute had a trademark line for corporate sales
pitches, according to current and former sales employees. “It’s like
crack,” he would say. “Once you try it, you’ll keep coming back for
more.” Nute declined to comment.By early 2005, Direct Revenue had
notched deals with JPMorgan Chase, Delta, and the Internet phone
company Vonage, according to former sales staffers and Direct Revenue
documents. Cingular Wireless spent more than $100,000 a month at the
peak of its relationship with Direct Revenue, current and former
employees say. Direct Revenue put Cingular pop-ups in front of other
phone companies’ Web sites and news sites such as the one affiliated
with tech magazine Wired. Vonage, meanwhile, was billed $110 for each
customer that Direct Revenue delivered, according to a sales report
from July, 2005. For that month, Direct Revenue billed Vonage for 287
new customers, or $31,570.JPMorgan Chase confirms that it advertised
with a Direct Revenue unit through the middle of last year, but says it
was unaware of any spyware activity. Delta and Cingular declined to
comment. Vonage didn’t respond to inquiries.
NO MORE MR. NICE GUY
By
mid-2005, Direct Revenue had grown to more than 100 employees, and its
practices were drawing public notice. Bloggers, invoking the right to
be free of uninvited ads, singled out Direct Revenue. Benjamin Edelman,
a prominent Internet consultant and spyware foe in Cambridge, Mass.,
tried to shame advertisers away from Direct Revenue by displaying on
his site the names of companies that appeared in Direct Revenue
pop-ups. Jules Neuringer, owner of Portronix, a Brooklyn (N.Y.)
computer-service firm, says that during this period about a dozen of
his small-business clients complained about Direct Revenue spyware. Of
these, he says he “was never able to bring an infected computer back to
pristine operating condition.”Direct Revenue insiders knew they were
alienating consumers and even made tentative moves to clean up their
act, court filings show. But when the result was fewer people getting
stuck with its software, Direct Revenue pulled back from reforms.In
early 2005 the company was bundling its products with a file-sharing
program called Morpheus, which users could download onto their
computers. Morpheus required that Direct Revenue make its software easy
to spot in a computer’s “Add/Remove” panel, which is the registry where
a user can find most legitimate software and delete it. Direct Revenue
agreed at first but after a few months noticed that thousands of new
users it gained via Morpheus were quickly deleting the ad software.
Kaufman, a co-founder of Direct Revenue, sent an e-mail to colleagues
in February, 2005, saying the company should drop the Mr. Nice Guy
routine. “We need to experiment with less user-friendly uninstall
methodologies,” he wrote. The distribution agreement with Morpheus
ended within three months.
MASS PARALYSIS
The
same ambivalence was evident in April, 2005, when Direct Revenue
released a concoction known as Aurora. The program clearly labeled ads
as coming from the company, a gesture designed to build credibility.
But Aurora had powerful features that fought off competing spyware and
security programs. The company also raised the number of pop-ups it
sent users to as many as 30 a day.Disaster ensued, as Aurora paralyzed
thousands of computers. Matt Oettinger, who ran media operations at
Fastclick (VCLK ), an advertising network that bought ads from Direct
Revenue, found his home PC afflicted by Aurora, e-mails in court
filings show. In June he ordered all Fastclick ads disentangled from
Aurora. Branko Krmpotic, the managing director of Technology Investment
Capital Corp. (TICC) (TICC ), which had invested $6.7 million in Direct
Revenue, also caught the Aurora bug and couldn’t kill it, according to
e-mails. Eventually, Direct Revenue had to send its customer support
director to fix Krmpotic’s machine. After receiving complaints about
Aurora, Insight Venture, another major investor, told the company to
remove Insight’s name from the Direct Revenue Web site. Fastclick
declined to comment; Krmpotic didn’t return calls.Even Aurora’s
creators fell victim as the program froze computers at Direct Revenue.
One sales staffer, Judit Major, documented receiving more than 30
pop-up ads in one day, according to e-mails. Her computer crashed four
times. “We are serving WAY TOO MANY pops per hour,” wrote Chief
Technology Officer Daniel Doman in a June e-mail to the company’s
brass. “If we overdo it, we will really drive users to get us the hell
[off] their machine. We need to BACK OFF or we will kill our base.”By
then consumer complaints were pouring in to Attorney General Spitzer’s
office. He filed suit in April, after his staff had hauled away 150
boxes of the company’s e-mails. Spitzer alleges that he found numerous
examples of Direct Revenue spyware downloaded with misleading user
agreements or no disclosure at all. In many cases, the download was
performed by a distributor on behalf of Direct Revenue, but company
executives repeatedly conceded in e-mail that users were in the dark
about how its programs got into their computers. This, Spitzer argues,
amounts to illegal deception.
PERSISTENT HEADACHES
A
Direct Revenue spokesman, Michael Spinney, says the company is
“mystified” by Spitzer’s allegations. It cleansed its practices more
than nine months ago, Spinney says, and now puts its name on all its
pop-up ads. It also now makes its software available for deletion in a
computer’s Add/Remove Programs registry and has limited its use of
distributors. Before these changes, Spinney asserts, Direct Revenue
employed practices common in its industry. He wouldn’t comment on
Spitzer’s individual allegations.The anti-spyware activists and
computer security firms confirm that Direct Revenue has dropped its
most destructive programs, such as Aurora. But they emphasize that the
company continues to cause serious headaches. Tokyo’s Trend Micro Inc.
(TMIC ) offers an online service that scans customers’ troubled
computers. In April it identified Direct Revenue’s spyware as the
culprit in 9,400 computer scans. That’s down from 14,000 in January,
but it represents a substantial level of annoyance. “Direct Revenue is
still on everyone’s top 10” of reviled spyware companies, says Anthony
Arrott, Trend Micro’s spyware research manager.Deborah Maradei-Ugel, a
loan officer in Santa Clarita, Calif., says she receives more than 20
pop-ups a day on her home computer as a result of Direct Revenue
spyware. She complained to the company, but removal instructions it
sent her are impossible to follow, she says. Her machine frequently
stalls and requires restarting. “You hit your computer,” she fumes,
“but it doesn’t help.”The way Direct Revenue describes its software
during the download process remains vague and misleading, Edelman and
other critics say. The company now bundles ad programs with Kazaa, an
online service offering music and other digital content. Kazaa gives
users a choice between a $30 version of its program and a free version
labeled “ad supported.” But few ordinary consumers would understand
that ad-supported means they get separate software from Direct Revenue
that will monitor them online and serve a steady stream of pop-ups,
Edelman says. Kazaa declined to comment.Direct Revenue has lost
business and reduced its headcount to a couple dozen employees. The
four founders still own 55% of the company, according to Spitzer’s
filing, and Abram is still seen around the office in his sharp suits.
But he no longer serves as CEO. Sales gurus Stein and Nute have moved
on to another Internet venture. Many major companies, such as Cingular
and Yahoo, have severed connections with Direct Revenue. But the ads of
others, including Vonage, continue to appear in Direct Revenue pop-ups.
Insight and TICC remain investorsAmong Direct Revenue’s alumni, pride
over technical cunning mingles with regret for exasperating so many
computer users. After waffling on the issue during a long interview,
one former Dark Arts wizard sighs and sums up his version of the
company credo with an elegiac observation by abolitionist Frederick
Douglass: “Find out just what any people will quietly submit to and you
have found out the exact measure of injustice and wrong which will be
imposed upon them.”

[Author]

July 10, 2006 at 10:36 AM