Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- The Federal Trade Commission (FTC) has obtained a temporary restraining order to stop a San Diego, Calif.-based company from exploiting a vulnerability in Microsoft's Messenger Service to bombard Internet users with pop-up ads -- ads aimed at selling software to stop the very same type of pop-up.
The Messenger Service pop-up ads, also known as "Messenger Service spam", resemble regular Windows system messages, such as those that appear to tell users a print job is finished. The more common genre of pop-ups, made famous by advertisers like X10 and Orbitz, open up a new Web browser.
According to the FTC, D Squared Solutions and its principal officers, Anish Dhingra and Jeffrey Davis, repeatedly sent Windows Messenger pop-up messages to consumers -- as frequently as every 10 minutes -- instructing consumers to visit Web sites that state that the barrage of pop-ups could be stopped by purchasing software at a cost of $25-$30.
"This is nothing more than a high-tech version of a classic scam," said Howard Beales, director of the FTC's Bureau of Consumer Protection. "The defendants created the problem that they proposed to solve -- for a fee. Their pop-up spam wasted computer users' time and caused them needless frustration."
The Windows Messenger Service is a component of the Windows 2000 and XP operating systems designed to provide network administrators with the ability to provide instant information to network users. The Windows system comes with the Messenger Service automatically in the "on" position, but it can be over-ridden by consumers on their individual computers. Firewall hardware or software can also prevent Messenger Service spam from reaching users via the Internet.
Last month, Microsoft issued a security warning that the Messenger Service was vulnerable to the type of attacks cited in Thursday's FTC action. The software giant has long had instructions on its Web site to explain how users can turn off Messenger Service. Messenger Service is not related to Microsoft's popular instant messaging software.
"Most pop-ups are Web-based and come from the browser," Beales said. "We're not challenging that. We object to this backdoor approach of co-opting the network administration feature of Windows Messenger."
According to the FTC, the defendants placed their pop-up ads near the center of users' computer screens, blocking the user's work. The ads appeared as long as the users were connected to the Internet, leading to particular trouble for users with DSL lines or cable modems who were continually on the Web.
The FTC alleges that these users continued to be hit with the pop-ups, even when they were logged off of the Internet and working in other applications such as word-processing or spreadsheet programs.
Also, the FTC claims, the defendants either sold or licensed their pop-up-sending software to other people, allowing them to engage in the same conduct. The defendants' Web site allegedly offered software that would allow buyers to send pop-ups to 135,000 Internet addresses per hour, along with a database of more than two billion unique addresses.
The FTC complaint contends the practices of the defendants is unfair because it is likely to cause substantial consumer injury, including the loss of data, reduced work productivity, and the temporary freezing of the consumer's computer screen. Further, the defendants encouraged consumers to think that they could not easily stop the pop-ups. The FTC contends that these costs are not balanced by any benefits to consumers or competition.
"What's going on here is the practice of sending a message until you pay someone to stop sending the message," he said. "We call that extortion."