Text 12019, 371 rader
Skriven 2006-07-09 09:54:36 av /m (1:379/45)
Ärende: The Plot To Hijack Your Computer
========================================
From: /m <mike@barkto.com>
http://www.businessweek.com/magazine/content/06_29/b3993001.htm
===
Consumers have strong opinions about Direct Revenue's software. "If I ever meet
anyone from your company, I will kill you," a person who identified himself as
James Chang said in an e-mail to Direct Revenue last summer. "I will f------
kill you and your families." Such sentiments aren't unusual. "You people are
EVIL personified," Kevin Horton wrote around the same time. "I would like the
four hours of my life back I have wasted trying to get your stupid uninvited
software off my now crippled system."
Sifting through a stack of customer complaints in June, 2005, a Direct Revenue
employee decided to tally the most frequently used words of aggression: "die"
(103 times), "f------" (44), and "kill" (15). Douglas Kee, then Direct
Revenue's chief of quality assurance (QA), ribbed colleagues in an e-mail that
with all the death threats, it was a "good thing QA sits farthest away from the
entrance."
According to angry consumers and the New York State Attorney General, Direct
Revenue makes "spyware." These programs track where you go on the Internet and
clutter your screen with annoying pop-up advertisements for everything from
pornography to wireless phone plans. Spyware can get stuck in your computer's
hard drive as you shop, chat, or download a song. It might arrive attached to
that clever video you just nabbed at no charge. Web security company McAfee
Inc. (MFE ) estimates that nearly three-quarters of all sites listed in
response to Internet searches for popular phrases like "free screen savers" or
"digital music" attempt to install some form of advertising software in
visitors' computers. Once lodged there, spyware can sap a PC's processing
power, slow its functioning, and even cause it to crash.
This explains the vitriol aimed at Direct Revenue. The company, located in a
loft above a clothing boutique in New York's hip SoHo district, has been a
pioneer in a seamy corner of the booming Net advertising industry. Although it
is small by some corporate standards, having generated sales of about $100
million since its start in 2002, its programs have burrowed into nearly 100
million computers and produced billions of pop-up ads.
Direct Revenue's swift rise illustrates the intertwining of spyware and
mainstream online marketing. The Web is the hottest game in advertising, but
what's rarely acknowledged is the extent to which unsavory pop-ups boost the
returns. Here's how it often works: Sellers of advertising, ranging from giant
Yahoo! Inc. (YHOO ) to much smaller networks, recruit clients, tally the clicks
their ads generate, and charge accordingly. But then Yahoo and the other
advertising companies sign up partners that distribute the ads beyond their own
sites in return for a fee, and those partners sign up other partners. Down the
line, a big piece of the business winds up in the hands of outfits like Direct
Revenue, which disseminate the ads as pop-ups and share revenue with their more
mainstream partners. Some advertisers say their messages have appeared in
pop-ups without their permission. Others seek out pop-ups, and Direct Revenue
frequently sells ads directly to such advertisers.
Spyware rakes in an estimated $2 billion a year in revenue, or about 11% of all
Internet ad business, says the research firm IT-Harvest. Direct Revenue's
direct customers have included such giants as Delta Air Lines (DALRQ ) and
Cingular Wireless. It has sold millions of dollars of advertising passed along
by Yahoo. And Direct Revenue has received venture capital from the likes of
Insight Venture Partners, a respected New York investment firm.
SPREADING STRATEGY
Many of those impressive ties have frayed or ripped apart recently as Direct
Revenue has struggled to fend off a lawsuit filed in April by New York Attorney
General Eliot Spitzer. The state court action alleges that Direct Revenue
crossed a legal line by installing advertising programs in millions of
computers without users' consent. Shining a light on the shadowy spyware trade,
the suit asserts that the company violated New York civil laws against false
advertising, computer tampering, and trespassing.
This article is based in part on more than 1,000 pages of Direct Revenue's
internal e-mail and other documents included in court filings. BusinessWeek has
reviewed additional documents and interviewed dozens of industry insiders,
including 12 current and former Direct Revenue employees and executives.
The company denies any wrongdoing. In a filing in June, it calls the Spitzer
suit "much ado about nothing" and defends its past practices as "commonplace"
in the industry. It calls its programs "adware" and says it has notified
consumers when putting the programs on their computers. It insists that some of
the methods Spitzer assails "were long ago changed." And it argues that by
accepting its ads, consumers get popular software applications free of charge
that otherwise can cost up to $30 apiece.
In the wake of the litigation, Direct Revenue has shrunk in size, but it
remains an important player on the spyware scene. Thousands of people still
complain each month to Web security firms about new computer infections caused
by Direct Revenue programs (although many users are baffled about what's
causing the maladies). And a new generation of spyware purveyors of equal or
greater potency is imitating Direct Revenue's strategies, infuriating
customers, and threatening to taint the larger business of online advertising.
Chances are you have some of their handiwork hidden within your hard drive
right now.
SPAM KING
Direct Revenue's origins trace the rise of what might politely be called one of
the more freewheeling sectors of Internet commerce. The company's sales
philosophy, according to current and former employees, was heavily shaped by
Jesse Stein, a Wharton School-educated marketer whose successes before joining
the company included selling VigRX, an herbal penile-enlargement supplement.
VigRX may sound familiar because, to win customers, Stein inundated e-mail
in-boxes with spam promoting the product. In 2003, when the ABC News (DIS )
20/20 program identified what it said were the biggest online spammers, it
featured VigRX and showed one of Stein's e-mails. He reveled in the notoriety.
On his desk at Direct Revenue, Stein, now 36, kept a framed 20/20 screen shot
of his VigRX spam, former colleagues say.
His eventual boss, Joshua Abram, came to online hawking from a different angle.
His family has a rich history of public service. Abram's late father, Morris,
was a civil rights activist in the 1960s who later served as president of
Brandeis University and U.S. ambassador to the U.N. under President George H.W.
Bush. Joshua's sister, Ruth, heads the Lower East Side Tenement Museum in New
York.
In 1999 Joshua Abram helped start Dash.com, a benign precursor to later spyware
operations. Dash attached an unobtrusive horizontal bar to the bottom of a
computer user's Web browser. As the user moved around the Internet, Dash would
note the sites being visited and offer relevant text ads inside the narrow bar.
Dash went out of its way to ask users' permission to install the ad bar, and
the company even shared its fees with consumers who made purchases. But Dash's
tactful text ads drew relatively few clicks, and its fee-sharing became an
administrative nightmare. As the Internet market imploded in 2001, Dash folded.
Abram, known for wearing stylish suits amid a sea of techie grunge, kept
developing ad software with several colleagues. They joined a broad post-bust
move toward treating customers with less respect. One of the new spyware
variants he helped create was called VX2, which a former colleague and computer
security professionals believe was named after the deadly, undetectable VX
nerve agent. In 2002, Abram, a father of two and husband of a fashion-industry
executive, started Direct Revenue. His co-founders were fellow Dash alumnus
Daniel Kaufman and a pair of data-mining entrepreneurs from a company called
Pipe9, Alan Murray and Rodney Hook. The next year, Direct Revenue did business
with and then acquired Stein's online ad agency, forming a spyware powerhouse.
Stein declined to comment. The four founders didn't respond to numerous
inquiries.
By early 2004, Direct Revenue, with Abram as CEO, had settled into its SoHo
loft, employing two dozen programmers and salespeople. Current and former staff
members say the place had an informal, often cynical atmosphere. The
unsophisticated computer users subjected to Direct Revenue's ads had a nickname
among some staffers: "trailer cash."
Knowledgeable consumers can reduce the risk of spyware infection by using
widely available security software and steering clear of free online goodies.
Direct Revenue and its rivals -- companies with such names as eXact Advertising
and Zango -- say they employ "user agreements" that notify individuals when
they are about to download their software. But the agreements typically can be
found only by clicking on links deep within separate legal agreements related
to the online freebies. The documents tend to be lengthy and opaque. Large
numbers of Internet users who lack adequate security software and fail to read
the legalese make themselves vulnerable.
SPY VS. SPY
Once embedded in your hard drive, spyware communicates via the Internet with
the company that produced it. The company's computer keeps track of your online
meanderings and sends you pop-up ads relevant to the sites you visit. The
travel-booking sites Travelocity (TSG ) and Priceline.com (PCLN ) have both
been direct customers of Direct Revenue. People who picked up Direct Revenue
spyware and then perused flights on Travelocity might find their screens
obstructed by a pop-up for Priceline, or vice-versa. The travel sites say they
stopped doing business with the company earlier this year.
Direct Revenue and other ad software creators struggle to balance an impulse to
pump out waves of profitable pop-ups against the danger of enraging consumers
who lose control of their computers. "Most of these companies can't overcome
their desire to make the most money right away," says Sam Curry, vice-president
for product management at Computer Associates International Inc. in Islandia,
N.Y. (CA )
From early on, a small group of programmers at Direct Revenue focused on how to
protect their employer's programs once they were lodged in a computer, current
and former employees say. The team called itself Dark Arts after the term for
evil magic in the Harry Potter series. One of the biggest threats Dark Arts
addressed came from competing software. The presence of multiple spyware
programs can so cripple a computer that no ads manage to get seen.
Dark Arts crafted software "torpedoes" that blasted rival spyware off
computers' hard drives. Competitors aimed similar weapons back at Direct
Revenue's software, but few could match the wizardry of Dark Arts. One
adversary, Avenue Media, filed suit in federal court in Seattle in 2004,
alleging that in a matter of days, Direct Revenue torpedoes had cut in half the
number of people using one of Avenue Media's programs. The suit settled without
money changing hands, according to an attorney for Avenue Media, which is based
in Cura‡ao. "This is ad warfare," explains former Direct Revenue product
manager Reza Khan. "Only the toughest and stickiest codes survive."
In light of the Dark Arts stratagems, Direct Revenue management in early 2004
procured from its lawyers a modified user agreement that would supposedly be
shown to PC owners. Within the densely written seven-page document was a
declaration that Direct Revenue "could remove, disable, or render inoperative
other adware programs resident on your computer, which, in turn, may...have
other adverse impacts on your computer."
Abram presented the new agreement to his troops with an impudence befitting the
Dark Arts crew. "It's a lawyer-approved license to kill," the CEO said in a
February, 2004, e-mail. He urged some restraint because at the time potential
investors were examining the company: "I would think twice about going too
aggressively on the offense during [due] diligence." But he added: "Obviously,
if we find someone is slaughtering us in the interim, we should not wait to
counter."
"It was like a big game of Dungeons & Dragons," a current Direct Revenue
manager says, and it was becoming lucrative. An ad software shop generally
charges advertisers up to a penny a day for each computer that showcases its
ads. A company with access to 10 million computers can make about $100,000 a
day. With its "install base" soaring to more than 20 million computers by late
2004, Direct Revenue's annual sales rose 450%, to $39 million. Its four
founders took home a combined $23 million, with Abram enjoying the biggest
share: $8.1 million.
This cash geyser drew investors' attention. Insight Venture Partners, which has
among its advisers Robert E. Rubin, former Treasury Secretary and now chairman
of the executive committee at Citigroup (C ), poured in
$27 million, court filings show. Andrew J. Levander, a lawyer for
Insight, says the firm's pre- investment due diligence "did not raise any
issues concerning the lawfulness of Direct Revenue's disclosure and
distribution practices." Rubin wasn't involved with the investment, Levander
says. When Insight learns of complaints, he adds, it works with the company to
address them.
Complaints were certainly not in short supply. "You have 24 hours to provide me
with a removal tool for your piece of crap spyware program," Joe LoMoglio
e-mailed the company in September, 2004. "Your pop-up ads popped up a few porn
sites while my 6- and 9-year-old children were using the computer." Reached by
e-mail, LoMoglio says the company "refused to respond."
As Direct Revenue surged in late 2004, its hyperactive sales force profited as
well. Several top performers took home more than $300,000 apiece that year,
current and former employees say, and a celebratory mood enveloped the
fourth-floor ad-sales department. On Friday afternoons, employees opened
bottles of beer, and Paul Nute, a top sales executive, occasionally blasted the
pop song Everybody's Working for the Weekend.
Nute had a trademark line for corporate sales pitches, according to current and
former sales employees. "It's like crack," he would say. "Once you try it,
you'll keep coming back for more." Nute declined to comment.
By early 2005, Direct Revenue had notched deals with JPMorgan Chase, Delta, and
the Internet phone company Vonage, according to former sales staffers and
Direct Revenue documents. Cingular Wireless spent more than
$100,000 a month at the peak of its relationship with Direct Revenue,
current and former employees say. Direct Revenue put Cingular pop-ups in front
of other phone companies' Web sites and news sites such as the one affiliated
with tech magazine Wired. Vonage, meanwhile, was billed $110 for each customer
that Direct Revenue delivered, according to a sales report from July, 2005. For
that month, Direct Revenue billed Vonage for 287 new customers, or $31,570.
JPMorgan Chase confirms that it advertised with a Direct Revenue unit through
the middle of last year, but says it was unaware of any spyware activity. Delta
and Cingular declined to comment. Vonage didn't respond to inquiries.
NO MORE MR. NICE GUY
By mid-2005, Direct Revenue had grown to more than 100 employees, and its
practices were drawing public notice. Bloggers, invoking the right to be free
of uninvited ads, singled out Direct Revenue. Benjamin Edelman, a prominent
Internet consultant and spyware foe in Cambridge, Mass., tried to shame
advertisers away from Direct Revenue by displaying on his site the names of
companies that appeared in Direct Revenue pop-ups. Jules Neuringer, owner of
Portronix, a Brooklyn (N.Y.) computer-service firm, says that during this
period about a dozen of his small-business clients complained about Direct
Revenue spyware. Of these, he says he "was never able to bring an infected
computer back to pristine operating condition."
Direct Revenue insiders knew they were alienating consumers and even made
tentative moves to clean up their act, court filings show. But when the result
was fewer people getting stuck with its software, Direct Revenue pulled back
from reforms.
In early 2005 the company was bundling its products with a file-sharing program
called Morpheus, which users could download onto their computers. Morpheus
required that Direct Revenue make its software easy to spot in a computer's
"Add/Remove" panel, which is the registry where a user can find most legitimate
software and delete it. Direct Revenue agreed at first but after a few months
noticed that thousands of new users it gained via Morpheus were quickly
deleting the ad software. Kaufman, a co-founder of Direct Revenue, sent an
e-mail to colleagues in February, 2005, saying the company should drop the Mr.
Nice Guy routine. "We need to experiment with less user-friendly uninstall
methodologies," he wrote. The distribution agreement with Morpheus ended within
three months.
MASS PARALYSIS
The same ambivalence was evident in April, 2005, when Direct Revenue released a
concoction known as Aurora. The program clearly labeled ads as coming from the
company, a gesture designed to build credibility. But Aurora had powerful
features that fought off competing spyware and security programs. The company
also raised the number of pop-ups it sent users to as many as 30 a day.
Disaster ensued, as Aurora paralyzed thousands of computers. Matt Oettinger,
who ran media operations at Fastclick (VCLK ), an advertising network that
bought ads from Direct Revenue, found his home PC afflicted by Aurora, e-mails
in court filings show. In June he ordered all Fastclick ads disentangled from
Aurora. Branko Krmpotic, the managing director of Technology Investment Capital
Corp. (TICC) (TICC ), which had invested $6.7 million in Direct Revenue, also
caught the Aurora bug and couldn't kill it, according to e-mails. Eventually,
Direct Revenue had to send its customer support director to fix Krmpotic's
machine. After receiving complaints about Aurora, Insight Venture, another
major investor, told the company to remove Insight's name from the Direct
Revenue Web site. Fastclick declined to comment; Krmpotic didn't return calls.
Even Aurora's creators fell victim as the program froze computers at Direct
Revenue. One sales staffer, Judit Major, documented receiving more than 30
pop-up ads in one day, according to e-mails. Her computer crashed four times.
"We are serving WAY TOO MANY pops per hour," wrote Chief Technology Officer
Daniel Doman in a June e-mail to the company's brass. "If we overdo it, we will
really drive users to get us the hell [off] their machine. We need to BACK OFF
or we will kill our base."
By then consumer complaints were pouring in to Attorney General Spitzer's
office. He filed suit in April, after his staff had hauled away 150 boxes of
the company's e-mails. Spitzer alleges that he found numerous examples of
Direct Revenue spyware downloaded with misleading user agreements or no
disclosure at all. In many cases, the download was performed by a distributor
on behalf of Direct Revenue, but company executives repeatedly conceded in
e-mail that users were in the dark about how its programs got into their
computers. This, Spitzer argues, amounts to illegal deception.
PERSISTENT HEADACHES
A Direct Revenue spokesman, Michael Spinney, says the company is "mystified" by
Spitzer's allegations. It cleansed its practices more than nine months ago,
Spinney says, and now puts its name on all its pop-up ads. It also now makes
its software available for deletion in a computer's Add/Remove Programs
registry and has limited its use of distributors. Before these changes, Spinney
asserts, Direct Revenue employed practices common in its industry. He wouldn't
comment on Spitzer's individual allegations.
The anti-spyware activists and computer security firms confirm that Direct
Revenue has dropped its most destructive programs, such as Aurora. But they
emphasize that the company continues to cause serious headaches. Tokyo's Trend
Micro Inc. (TMIC ) offers an online service that scans customers' troubled
computers. In April it identified Direct Revenue's spyware as the culprit in
9,400 computer scans. That's down from 14,000 in January, but it represents a
substantial level of annoyance. "Direct Revenue is still on everyone's top 10"
of reviled spyware companies, says Anthony Arrott, Trend Micro's spyware
research manager.
Deborah Maradei-Ugel, a loan officer in Santa Clarita, Calif., says she
receives more than 20 pop-ups a day on her home computer as a result of Direct
Revenue spyware. She complained to the company, but removal instructions it
sent her are impossible to follow, she says. Her machine frequently stalls and
requires restarting. "You hit your computer," she fumes, "but it doesn't help."
The way Direct Revenue describes its software during the download process
remains vague and misleading, Edelman and other critics say. The company now
bundles ad programs with Kazaa, an online service offering music and other
digital content. Kazaa gives users a choice between a
$30 version of its program and a free version labeled "ad supported."
But few ordinary consumers would understand that ad-supported means they get
separate software from Direct Revenue that will monitor them online and serve a
steady stream of pop-ups, Edelman says. Kazaa declined to comment.
Direct Revenue has lost business and reduced its headcount to a couple dozen
employees. The four founders still own 55% of the company, according to
Spitzer's filing, and Abram is still seen around the office in his sharp suits.
But he no longer serves as CEO. Sales gurus Stein and Nute have moved on to
another Internet venture. Many major companies, such as Cingular and Yahoo,
have severed connections with Direct Revenue. But the ads of others, including
Vonage, continue to appear in Direct Revenue pop-ups. Insight and TICC remain
investors.
Among Direct Revenue's alumni, pride over technical cunning mingles with regret
for exasperating so many computer users. After waffling on the issue during a
long interview, one former Dark Arts wizard sighs and sums up his version of
the company credo with an elegiac observation by abolitionist Frederick
Douglass: "Find out just what any people will quietly submit to and you have
found out the exact measure of injustice and wrong which will be imposed upon
them."
===
/m
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|