FTC Cracks Down on Spyware Distributors

The U.S. Federal Trade Commission took action against spyware this week by asking a U.S. District Court Judge to halt an operation that allegedly plagued users who clicked for free file-sharing software with performance-slowing, private-information-gathering software that also altered search results for victims.

The FTC said Odysseus Marketing and principal Walter Rines lured consumers to its free software, billed with statements such as, “Download Music Without Fear” and “Don’t Let the Record Companies Win.” Once downloaded, however, the software — which failed to make file-sharing anonymous — reformatted search engine results through bogus, lookalike sites; generated pop-up advertisements; captured consumer data; and could not be uninstalled.

Claiming unfair and deceptive practices that violate the FTC Act, the agency sought a halt to the operations of the New Hampshire-based outfit, which was also reportedly connected to a major U.S. spammer who has been dubbed the “Spam King.”

Three Strikes for Spyware

The FTC’s suit follows other class-action lawsuits against alleged spyware senders, as well as legislation currently being considered by the federal government.

FTC Chair Deborah Platt Majoras testified before the U.S. Senate recently, explaining the key elements of spyware, adware and other malicious software that make it illegal.

“The Commission’s spyware law enforcement strategy focuses on three key questions,” she said. “First, were consumers aware of the installation of the software on their computers? Second, what harm did the installation of the software cause? Third, how difficult was it for consumers to uninstall the software after it had been installed?”

In the latest filed complaint, the FTC alleges Odysseus acted illegally under all of those criteria, hiding disclosure in an end user licensing agreement, making the software difficult to detect and remove, and further infecting users’ machines when they tried a supposed uninstall tool.

Effective Enforcement

Webroot Vice President of threat research Richard Stiennon told the E-Commerce Times the FTC spyware suit was “very, very significant.”

“I think it’s a good sign of the FTC using the authority they already have,” he said. “So the FTC is flexing its muscles in the right way.”

Stiennon said that, despite the four spyware bills before the U.S. legislature, there is really no need for additional legislation.

“My opinion is, there are enough laws on the books already to counter both spamming and spyware,” Stiennon said. “In terms of enforcement, only the FTC is going after it,” he added, referring to exceptions such as New York state attorney genera Eliot Spitzer and others, who have successfully prosecuted malware makers and mailers.

Tackling With Technology

As for keeping up with spyware and other malware from the technical, IT security perspective, Stiennon said companies such as his believe they are doing so.

He explained that Webroot has a team of 40 people, updating anti-spyware definitions from a Web-scanning tool and working on advanced techniques and tools “to really tear into the tricky stuff.”

Stiennon said the use of malicious software for spamming and for spyware had gone beyond merging and was actually evolving into more inconspicuous and damaging attacks, such as mass phishing attempts and targeted ID thefts.

“It’s all headed to where there’s the most money to be had,” Stiennon said.