Acting on charges by the Federal Trade Commission, a U.S. district court yesterday shut down a spyware distribution operation that it says has installed malware on millions of computers without consumers' consent.
ERG Ventures and several partners hid the Media Motor spyware in seemingly innocuous free software, including screen savers and video files, the FTC says. The agency has asked the court to order a permanent halt to the downloads, and to order the group to "give up its ill-gotten gains."
Joysticksavers.com and and PrivateinPublic.com were also named in the suit. A criminal investigation of the allegations is also under way at the U.S. Attorney's Office, the FTC says.
Media Motor, an application that tracks users' Web behavior, can be legitimately installed on client machines with the end users' permission. However, the FTC alleges that ERG Ventures and its partners hid the spyware in other applications, enabling them to track users' activity, generate advertising, and alter browser settings without the user's permission.
The FTC called Media Motor "malevolent software" that is "intrusive, disruptive, and makes it difficult for consumers to use their computers. However, security researcher Panda Software gives Media Motor its lowest possible threat rating.
"The message sent by the FTC is that businesses everywhere should say what they do and do what they say," says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix, Ariz. law firm. "If information is collected for marketing partners -- or if cookies, Web beacons, or Web bugs are used -- then that needs to be disclosed to the end user, and the end user needs to agree to it."
Any software installed on end-user machines should request permission before installation, should be easily uninstalled, and "should not act surreptitiously in the background," Pierson adds. Most businesses do notify their end users before they distribute software, but there are some exceptions, experts say.
According to the FTC filing, ERG Ventures and partners not only didn't tell users about the spyware, but actively lied about it. A deceptive "End User License Agreement" gave consumers the option to halt the installation of all software from ERG Ventures, but it secretly installed malware whether consumers accepted or rejected the terms of the agreement, the agency says.
The ERG Ventures shutdown is one of a relatively small number of cybercrime-related actions to be leveled against a company, rather than a single hacker or group of hackers. Some companies have been giving short shrift to legal and regulatory requirements recently, in part because the enforcement mechanisms are not strong.
But the FTC, which has successfully lodged complaints against regulatory violators such as ChoicePoint and CardSystems, is an exception, says Pierson. "The FTC is perhaps the most vigorous enforcer of consumer laws, and the FTC Act has proven to be anything but a paper tiger, " he says.
Consumers who have experienced problems with any of the defendants in the suit can contact the FTC by writing to [email protected] or by calling 202-326-3504 to leave a message.
Tim Wilson, Site Editor, Dark Reading