Security companies have been talking about social engineering in the distribution of adware, malware and spyware for years now. In the early days of social engineering discussions, the mechanism for tricking end users into installing potentially unwanted software focused on such avenues as IRC and IM services. Basically, the end user is lulled into a false sense of security that a link is safe to click since it is coming from a “friend” via a social network.
The companies behind adware and spyware have always been innovative and typically one-step ahead of the curve when it comes to installation methods. Their survival is dependent upon their ability to have their software installed on computers. Naturally, social networks like Facebook will be prime targets as a potential source for installations.
Anatomy of an Attack
Several sources (Computer World, InformationWeek)Â are reporting a wide-spread adware attackÂ on Facebook Monday. We can gain insight into just how powerful social engineering can be when mixed with a very popular social network like Facebook for adware companies.
The attack involved a Facebook application promising “the sexiest video ever”.Â When Facebook users installed the app, they were told they needed to update their FLV Player. This isn’t a completely uncommon occurrence in and of itself when watching a video online. When the link was clicked to update their FLV Player, the end user received an installation of HotBar.
The attack was contained solely on Facebook. It did not involve installing any type of Trojan or virus that was then sent out via infected computers. The infections were limited only to those people who clicked the link to update their FLV Player. In a fifteen hour period (the time it took Facebook to remove the threat), AVG Technologies is reporting 300,000 infections. At peak times of the attack, AVG was receiving 40,000 reports per hour.Â These are astounding numbers, particularly when you keep in mind these are detections by one security company (those infected who use AVG and opt into sending threat detections to AVG servers).
The use of contextual adware, like HotBar, has existed within the affiliate marketing channel since their existence. Initially they were allowed by the major networks (even before the proliferation of CPA Networks).Â Even when allowed, this form of marketing was highly controversial. Eventually all the major networks disallowed this type of marketing, in a large part because of legal actions being taken by regulatory agencies against some of the larger adware companies over installation tactics.
As CPA Networks began toÂ expand intoÂ the market place, many of these agencies openly allowedÂ contextual adware marketing (and still do). The DirectTrack software, used by many CPA Networks, is programmed to recognize and accommodate contextual advertising. Even so, contextual adware marketing became the “black sheep” of the affiliate marketing channel.
How the Playing Field has Changed
Over the last several months, contextual adware advertising has donned yet another new face, under the name of PPV or CPV marketing. There is a sector within the affiliate marketing community who are promoting contextual adware marketing, such as through HotBar, as a legitimate form of marketing by affiliates. By virtue of just saying it is a “legitimate” marketing channel, many appear to be accepting the statement as fact.
One of the primary defenses of contextual adware marketing I’ve seen is that “it’s not spyware, it’s adware and the end user wants it.” As the Facebook attack demonstrates, the end user doesn’talways want it.Â Sometimes the end user is tricked into installation. The past issues of nonconsensual installations that invited outside regulators like the FTC have not gone away. Nor is the label “adware” necessarily connotative of a benign software application, as implied by those promoting PPV/CPV marketing. Even Zango recognized that fact by virtue of their failed legal attempt to force Kaspersky and PCTools to declassify their software as adware.
I’ve been following contextual adware for almost ten years now. I’ve seen little change in the fundamentals of how contextual adware companies operate. The most significant change I’ve noticed of late is the seemingly willingness by some within our industry to openly accept and embrace this type of “marketing”.