Slashdot Mirror

← Back to Stories (view on slashdot.org)

Morpheus Hijacks Browsers For Affiliate Links

Posted by timothy on from the oh-no-this-can't-be-true dept.

An anonymous reader submits: "According to this news.com article, morpheus (aka streamcast) has begun silently installing a browser plugin on its users' machines that basically hijacks the web browser even when not running Morpheus. An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination. The user will not be aware that this is happening... however the site doing the redirecting will benefit because they are set up as an affiliate partner and will get a commission on the backs of the user. On a horrible scale of 1 - 10 for sleazy business practices, I rate this a 9. Comments?"

8 of 489 comments (clear)

  1. Scary by EvilAlien · · Score: 3, Interesting
    What else is peer-to-peer software silently borrowing?

    Trillian password files perhaps?

    --
    perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
    1. Re:Scary by Zeinfeld · · Score: 3, Interesting
      What else is peer-to-peer software silently borrowing?

      There are a bunch of overlapping issues here. One is the politician problem. Many people want to vote for politicians who are going to serve their personal self-interest best. This raises the problem that the self-interest of the politician is rarely that of the voters, particularly if they are elected. So politicians who make a bid for public support on the basis of self interest alone are likely to believe what they preach and serve their personal self interest exclusively.

      The problem of spyware appears to be almost unique to P2P software. This might be coincidence, P2P just happened to get hot at the same time that the Internet bubble burst and Internet business models turned Hobbsean. On the other hand it appears more likely that people who write software whose primary purpose is to help people steal music have no moral qualms about exploiting their users as well.

      A second set of problems comes from the fact that P2P pretty much cuts itself off from most of the traditional Internet business models. Post Napster no P2P company can make money from any business model that requires them to maintain a central server or long term business relationships with other companies.

      The thread contains many posts that attempt to dispute the claim that Morpheus is doing anything bad. The debate tactics used suggest that it is FUD from the Morpheus self justification dept. There are plenty of posts saying 'the poster hasn't read the article, Morpheus is not stealing referals', only that is precisely what the article accuses Morpheus of. This is not about collecting information about users.

      On the legal side I don't imagine that this is a sustainable business model. There is no way that Amazon and the other companies are going to want to pay people for intercepting referals from other sources. Depending on the circumstances if an affiliate is collecting money by misrepresentation the actions may constitute fraud.

      The other main issue is of application security. Here the only significant difference between Linux and Windows is that Windows being more popular makes it a more attractive target for scumware. Linux has to consider the problem since if Microsoft develops a defense the scumware folk will attack Linux next on the 'bear principle' - I don't have to outrun the bear, I just have to outrun you.

      There is a hook in IE to disable all third party plug ins. The problem is that this is the big switch approach. What there should be is the ability to select which plug ins are enabled. Windows really should not have so many under the covers switches for installing software. I recently found that one of my machines had been infected by comet cursor, I have no idea when. Checking the Windows registry to find out if you have spyware reminds one of Arthur Dent's difficulty finding out about the plans to build a bypass through his house.

      The problem with the big switch is that Adobe Acrobat is pretty useful. Macromedia flash is also useful in limited circumstances. I like the animations on Slate, but the new breed of annoyance ads have led me to disable it. There sholuld be a switch to allow plug ins to be enable on a site by site basis. Unfortch, the security zone mechanism does not do this as yet.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  2. Been waiting for this... by Suicide · · Score: 4, Interesting

    Honestly, I had the idea for this a while ago while talking with a friend. I've been waiting for someone else to implement it. Its not that much different than those sites that collect and list internet deals, in the hopes that you'll follow their links and they'll get the referer fee, Like this one.

    While I personally see this as a bad thing, since they do it behind the users back, I would probably have no objection to installing something similar for slashdot. I don't exactly feel the need to subscribe, but I would have no objection to them collecting a referrer fee off of my internet purchases.

  3. Re:Corrections and notes... by cyberformer · · Score: 3, Interesting
    It could make a huge difference to small Web sites that rely on referrals to defray bandwidth costs. Linking to relevant books on Amazon (or bn) can often make more than banner ads. If a significant proportion of users have Morpheus installed (not an unreasonable assumption), the other referring sites could go under.


    I know I'll be checking that any referral programs my Web site participates in aren't on Morpheus's hitlist, and switching to a competitor if they are. I expect others to do the same, thus giving retailers like Amazon a real incentive to make sure that they don't pay anything out to Morpheus.

  4. Mail Sent to EFF, CAFE by plaidfishes · · Score: 5, Interesting

    I have sent the following message to Robin Gross of EFF.

    Dear Ms. Gross

    I am writing to express my concern that my attempts to financially support EFF have been stolen by Morpheus and similar companies. I have long been careful to use the Amazon Affiliate Button on your front page for all of my book purchases. I have felt that doing this combined to support what I believe in simply and effectively. Since my purchases have been well over $1000 per year for at least the last two years, I know that it has to have been worth at least some money to EFF.

    It has recently become apparent that Morpheus et al. have been placing software such as TopText and other scumware on users machines. These programs have the sole purpose of rewriting affiliate links. This effectively redirects the financial benefits of these links to the scumware operators. To put it bluntly, this is theft, no different than if they had taken the affiliate checks and written their own names as payee.

    I have supported the EFF for years. I supported Morpheus partly because of EFF's support of them. But I am frankly disgusted by this turn of events. As the Director of the Campaign for Audiovisual Free Expression, and a staff attorney for EFF for Fair Use and Intellectual Property, I believe that you may well be the single best person to let them know they have gone too far. To take a principled stand on Fair Use is one thing. To pump ads to users while using the software is also perfectly legit. To actively steal revenue from other people, companies and organizations, even after the user has supposedly removed the software, without notice is simply beyond comprehension.

    Sincerely

    Walter Williams

  5. You are missing who this really hurts. by Chetmurray · · Score: 3, Interesting

    To hell with the idiots downloading porn or warez.

    This affects website owners. Many small websites make ends meet by their affiliate links. This will steal that money away. This is one of the few way small webmasters can make money - short of begging.

    And aren't we all sick of the virtual begging cup by now? Don't let the last legit way for sites to make money be destroyed. Sites that don't have traffic for banner ads sales, need these sales. They need this income. If this takes off, it will wipe out small sites everywhere.

    As an example, look at http://www.gonegold.com

    Informative helpful website. IGN pays them squat. But they do make money on their affiliate gaming links. Take them away and who will pay the site's bandwidth? That is the real issue, that is the real fight. And for some smaller sites, this really is a fight for their survival.

    By the way- what is the implications that the only thing you have to agree with when installing morpheus is the gnu license. their is no mention of this spyware(even though it is installed).

    Chet

  6. You need to see this spyware crap at it's worst. by grundie · · Score: 5, Interesting

    I'm a sysadmin in a large call centre which used to tolerate a certain amount of personal use of it's computers. One of the main helpdesk requests to the IS department had was for ghosting's of computers which had been so f**cked up by various bits of spyware. The worst offender by far was Save Now, getting it to uninstall was a pain and even when you did think it was gone, it would reappear sooner or later. We firewalled the Save Now website and any addresses the app connected to to and rather than die after 2-3 attempts the plugin would thrash the firewall contiuously trying to make a connection. We also came across a particular nasty spyware app which had no visible front end but would randomly redirect you to a porn site, thankfully we had Super Scout installed which blocked 99% of porn sites. However this didn't help the poor employee who unknowingly had this crap on his PC as he though he was going to be sacked for looking at porn (we have always had a very, very tough line on porn).

    Most of the spyware on the computers was not intentionally installed which is what made it worse. The last straw for us was when we discoverd a Win98, 1ghz Pentium with 256mb RAM and a fast hard drive taking 15 minutes to start as it was loaded with so much spyware/plugins/rubbish and they all wanted to start simultaneously, running a packet sniffer on that particular machine showed that spyware was using over half the bandwidth available. We locked down the network after that barring access to anything known to inolve file sharing, plugins, spyware etc. However there is an interesting side note, we had a retained lawyer with IT specialisms, aparently the UK Computer Misuse Act makes it illegal to alter the contents of a computer without getting the users authority, which was interesting.

    It's bad enought these spyware app's stealing money from deserving small websites and let's face it users as well. You just need to see the damage they can do to networks and computers as well, I can see a lot of sysadmins becomming very angry if these sort of applications get more sneaky and nasty in the way the operate.

  7. How to write your very own scumware by TheTomcat · · Score: 3, Interesting

    Documentation on Browser Helper Objects (BHOs) at MSDN.

    S