Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

FTC Hammers on Freeware Distributor

Federal Trade Commission shuts down company accused of distributing spyware with its free goodies

Acting on charges by the Federal Trade Commission, a U.S. district court yesterday shut down a spyware distribution operation that it says has installed malware on millions of computers without consumers' consent.

ERG Ventures and several partners hid the Media Motor spyware in seemingly innocuous free software, including screen savers and video files, the FTC says. The agency has asked the court to order a permanent halt to the downloads, and to order the group to "give up its ill-gotten gains."

Joysticksavers.com and and PrivateinPublic.com were also named in the suit. A criminal investigation of the allegations is also under way at the U.S. Attorney's Office, the FTC says.

Media Motor, an application that tracks users' Web behavior, can be legitimately installed on client machines with the end users' permission. However, the FTC alleges that ERG Ventures and its partners hid the spyware in other applications, enabling them to track users' activity, generate advertising, and alter browser settings without the user's permission.

The FTC called Media Motor "malevolent software" that is "intrusive, disruptive, and makes it difficult for consumers to use their computers. However, security researcher Panda Software gives Media Motor its lowest possible threat rating.

"The message sent by the FTC is that businesses everywhere should say what they do and do what they say," says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix, Ariz. law firm. "If information is collected for marketing partners -- or if cookies, Web beacons, or Web bugs are used -- then that needs to be disclosed to the end user, and the end user needs to agree to it."

Any software installed on end-user machines should request permission before installation, should be easily uninstalled, and "should not act surreptitiously in the background," Pierson adds. Most businesses do notify their end users before they distribute software, but there are some exceptions, experts say.

According to the FTC filing, ERG Ventures and partners not only didn't tell users about the spyware, but actively lied about it. A deceptive "End User License Agreement" gave consumers the option to halt the installation of all software from ERG Ventures, but it secretly installed malware whether consumers accepted or rejected the terms of the agreement, the agency says.

The ERG Ventures shutdown is one of a relatively small number of cybercrime-related actions to be leveled against a company, rather than a single hacker or group of hackers. Some companies have been giving short shrift to legal and regulatory requirements recently, in part because the enforcement mechanisms are not strong.

But the FTC, which has successfully lodged complaints against regulatory violators such as ChoicePoint and CardSystems, is an exception, says Pierson. "The FTC is perhaps the most vigorous enforcer of consumer laws, and the FTC Act has proven to be anything but a paper tiger, " he says.

Consumers who have experienced problems with any of the defendants in the suit can contact the FTC by writing to [email protected] or by calling 202-326-3504 to leave a message.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.