Market Research Company Secretly Installs Spyware

An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."

Well?

[flyneye]

Is anyone going to do something about this?
Some justice,revenge,butt chewing,anything?
Do we write our congressman,DOS them or what?
all problems and no solutions.
It must be illegal on some level.
do we file a massive suit and each collect $5 or what?

That's sort of odd...

[zappepcs]

the previous story mentioned social justice in the headline... social justice here would be to have CD copies of their malicious software being rammed up their backsides "without their consent" so to speak...

Why is the DOJ worried more about aunt Eunice downloading MP3s than they are about people who are maliciously causing harm?

sigh, I'll write but I wonder if my representatives will actually notice...

Win-win-win solution

[straponego]

I think everyone who isn't a total scumbag agrees that spammers and spyware makers are evil and a drain on society. Furthermore, in terms of lifetimes wasted, they time they cost us surely adds up to many times the lives we've lost due to terrorism. I have the answer, one which will heal the political rift in the US as a side effect.

First, we have the NSA, DHS, et al target their illegal wiretapping programs at spammers and spyware makers. They've got the infrastructure to track these people down, and this is a justification for the programs everybody can get behind.

Second, when a spammer is caught, we ship them down to Gitmo. It doesn't matter, in this case, whether torture is an effective means of getting information. We don't need information from them, we just want them out of circulation. We can hope that it would be a deterrent, but really they'll be getting it for the simple reason that they deserve it. Republican/Christians get to torture and sodomize to their shrivelled little hearts' content, and we don't have to worry about damaging our reputation in the world community. Everybody's happy!

Gentlemen, there is no way that we can lose on this one!

Re:Win-win-win solution

[Steve+B]

One important point is that spam is about the perfect method of communicating "go-codes" to terrorist cells -- it's trivial to encode a message in the anti-filtering gibberish attached to most spam, and the indiscriminate broadcast completely negates traffic analysis.

HOSTS entry to block?

[martyb]

I want to proactively block any chance of getting caught by this. I just added this to my (Windows/XP HOME SP2) HOSTS file (C:\windows\system32\devices\etc\HOSTS):

127.0.0.1 comscore.com # ComScore, nee MediaMetrix, et al

I recognize this is but a start. I expect this has been investigated by others already. Rather than re-invent the wheel, I'm looking for some input on what else I can do to protect myself from them. (I already use ONLY firefox, and also have AVG, AdAware, Spybot, and WinPatrol)

Questions:

1. What other entries should I add to my hosts file? (Prevent)
2. What program(s) have you used to locate and remove this? (Detect and Remove)

FYI: Wikipedia's ComScore Entry

Re:HOSTS entry to block?

[interiot]

Oops, I forgot to include the Texas Tech link with the IP addresses.

Intercepts https://

[interiot]

The thing that really gets me is that their monitoring software installs a root certificate in the user's browser so that they can do a "man in the middle" attack to https:/// connections at their proxy servers. In many cases, comScore gets permission from end users to do this, but I don't think many users really realize how much information they're exposing by doing this. Most obvious is bank passwords, etc, but comScore says they don't monitor those. comScore DOES however say that they verify their user's name, address, income, etc., which I'd imagine most users wouldn't actually agree to if they were fully informed.

Re:Intercepts https://

[Beryllium+Sphere(tm)]

Inviting the question, even if you trust them with your credit card numbers, and trust all their employees, do you want to bet that there won't be a security breach on one of their servers?

This is a serious limitation of SSL on commodity operating systems, by the way. IE's list of trusted root certificates is simply entries in the registry. Even if you're part of the infinitesimal fraction of users who knows what a CA cert is and where to look for them, how can you do a security review on all 39 of the root certificates that come with Firefox, or spot a new unwanted one? (One of those root certs is from AOL, by the way). If you trust the Mozilla foundation to audit the security and practices of each and every one, do you have the same trust in a proprietary browser's developers? Even assuming the developers make the decision instead of the marketers?

Re:Yawn...

[Ngarrang]

Yawn? Don't plug into the net? What arrogant uncaring tripe. What kind of jackass gives that sort of a response? Oh, right, an OS snob. People have the right to privacy and surf the net unmolested, no matter the OS they use. ComScore trampled on that right and deserve to burn, so don't turn this around and blame the user.

this is what they should do!

[ILuvRamen]

why the hell don't the cops show up at the company's door, break it down, and arrest everyone responsible and make sure CNN news crews are there to record it and make a story out of it. Then maybe these stupid, evil marketing people will stop thinking they can get away with it! It's called illegal for a reason. If they can arrest a guy for putting a distributed processing screensaver on school computers, they can arrest marketing execs!

Screenshots?

[slashkitty]

The submitter claims the software takes screenshots of every page the users visit.

This isn't what the actual article says. It says "virtual photos". Most likely is that it's just collecting URLs.. and maybe the contents of the page.. There would be no reason to do screenshots... It would make things much more difficult to analyze.

Re:Screenshots?

[interiot]

The installed software re-routes all of your internet traffic through comScore's proxy servers. In most cases, they're probably just monitoring the URL's you visit, but they also check check more specific information in some cases... they say they verify the user's demographics (name, address, it sounds like purchases are tracked as well), and depending on what they're doing research on at the time, they sometimes track P2P activity, audio streaming activity, instant messaging statistics, etc.

Re:Screenshots?

[interiot]

From TFA:

While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.

Re:Yawn...

[Temsi]

That's about as stupid as teaching abstinence only as the only way to fight STD's.

Interestingly, the advice given is almost the same too: don't plug in...

People are doing it and kids will do it, so instead of closing your eyes and yelling "don't do it", you should at least show them how to use protection first.

So what good is a unenforced law?

[canuck57]

So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce it?

Re:So what good is a unenforced law?

[Threni]

> So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce
> it?

It would also appear to break the UK's Interception Of Communications Act 1988.

Re:Yawn...

[Harmonious+Botch]

But most Windows users are as interested in secure computers as teenagers are in condoms.

They have to! Think of the poor marketers!

[orkysoft]

They have to install it on the computers of people who don't agree to it, because if they only monitored people who agreed to it, it would skew their results, because they'd be using self-selected samples! Think of the marketers!

Skew them !

Download their software onto a 'tame' computer, and use it to browse 'interesting' sites.

Who would have thought that people who regularly view Ford's web site also like Goats ?

Re:Your best bet

[the_humeister]

Indeed. That's why I use Minix as my operating system, vi as my word processor, and links as my web browser. Come and get me, you bastards!!!

Re:Yawn...Just say no to sex.

[Temsi]

OK, now you're just being silly.

Sure, abstinence is the only 100% effective way of preventing STD's, but teaching that and nothing else, is an extraordinarly dumb thing to do, because it goes against our natural instincts. We are born with the need for sex, and when it awakens it tends to go a little nuts. Abstinence only education can lead directly to teen pregnancies and the transmission of std's, because kids are not given an alternative method of protection, and in fact statistics show that it simply doesn't work in any way shape or form. Ignorance is not protection.

Your gun lesson analogy is a bad one. Firing guns is not a natural urge written into our genes.
ALL teens have sexual urges, but only a handful of nutcases have the urge to shoot their classmates.
Thus, your argument is a red herring.
That being said, it wouldn't hurt to have an alternative method of protection against guns, such as trigger-locks, and not rely solely on the "don't do it because I said so" method (which incidentally is the same one used in abstinence only education).

A more proper analogy would be:
You have a swimming pool in your back yard. You can tell your kids not to go in it all you want, but one day, when you're not looking, they will, and when that time comes, wouldn't it be safer if they've been taught how to swim?

Do you have to deal with the problems?

[Colin+Smith]

Yawn? Don't plug into the net? What arrogant uncaring tripe. What kind of jackass gives that sort of a response? Oh, right, an OS snob Actually it's the sort of response that you get from someone who's constantly asked to fix computers that are repeatedly infested with viruses, spyware and other malware.

Maybe you're 12 and your time's worthless. Mine isn't and I now charge $$$ to fix computers. You don't want to pay? YeeHaw! Go away, fix it yourself then, or find some rather dim student who has nothing better to do.

People have the right to privacy and surf the net unmolested, no matter the OS they use. Awww, how sweet. Welcome to the real world, not the idealised socialist one you have in your head.

Re:Do you have to deal with the problems?

[jlarocco]

You sound like you lack the social skills necessary to tell people that it consumes too much of your time to fix all your friends computers in such as fashion as to retain them as your friends.

Real friends don't expect you to do work for them. If that offends them, good riddance.

You should be able to teach similar sorts of things to your friends, strengthen your friendship and give yourself more time to do fun things.

Yes, but it's not my responsibility, nor is it a way I want to spend my free time. There are much more fun ways to strengthen friendships that don't involve one person doing work for free.

As far as I'm concerned, my help stops after I tell them to run Debian.

Re:Do you have to deal with the problems?

[Fred_A]

You should be able to teach similar sorts of things to your friends

From what I've seen most people don't care enough to be bothered to learn about these things. It's computers, it's complicated, they don't care. If you try to explain it to them they just wave you away. When it slows down, it means it's broken so they get a new one.

Re:Do you have to deal with the problems?

[bmo]

"Real friends don't expect you to do work for them. If that offends them, good riddance."

Hear, hear old chap!

It's about time we all stopped subsidizing Microsoft's insecure shitware. If everyone who had Windows had to pay GeekSquad's rates every time a computer died, there would be much more pressure on Microsoft to release something secure. But they don't, because they don't have to.

And seriously, it takes a good whole 12 hours of watching the cleaning software chew through all the data on drives these days and when you're done, you're still not sure you got everything.

Yet some "friends" want us to do it for free or for prices that wind up being about minimum wage when the billable hours are worked out. Sometimes that's ok. Some charity cases are OK in my book, but when the charity case comes back 6 months later with the same old "my computer is slow", one feels like a chump.

So now my line is "I'll do it for free if you let me put Linux on it."

Last Friday, a colleague asked me if his computer was infected because it was slow. I told him it was probably a couple of hundred infections (true). He was wondering if he should give it to me or GeekSquad. I told him GeekSquad will just format and reinstall. I did tell him that while he could pay me to do the same thing at a cheaper rate than GS, I would put Linux on it for free. He's thinking.

--
BMO

Client List

[phantomcircuit]

Corporations supporting comScore's actions

• AOL
• Best Buy
• Borders
• CareerBuilder.com
• Clear Channel Communications
• Columbia House
• Digitas
• Discover Financial Services
• Eli Lilly and Company
• Expedia
• ESPN
• Ford Motor Company
• General Mills
• Google
• HP Home & Home Office Store
• Hyatt Corporation
• Interpublic Group
• iVillage
• Johnson and Johnson
• Knight Ridder Digital
• Mattel
• Medscape (Web MD)
• Mercado Libre
• Microsoft
• Monster Worldwide
• NASDAQ
• NAVTEQ
• Nestlé USA
• The Newspaper Association of America
• New York Times Digital
• Office Depot
• OMD Digital
• Orbitz
• Pepsi
• Procter and Gamble
• Starcom IP
• Terra Networks
• Ticketmaster, LLC
• T-Mobile
• Tribune Interactive
• Verizon
• Viacom International
• Washington Mutual
• Yahoo!

Retrieved from http://www.comscore.com/about/clients.asp

They don't do it

[wytcld]

They commission third parties to do it. That's plausible deniability.

Enticing a third party to commit a crime should carry heavier penalties than doing the crime yourself. Especially when as in this case multiple third parties are enticed.

And comShare is receiving stolen property - property stolen only because they offered to buy it. But do we need new law in this area to properly jail these fuckers?

It's the stupidity, stupid.

[rudy_wayne]

from the article:
"Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program."

Why are university students downloading a "Web-accelerator program"? Because they're too stupid to know that these programs are worthless bullshit. Once again, we see that the biggest problem is not viruses or "spyware" -- it's user stupidity.

No reason to be worried !

[Mr+Europe]

Don't be alarmed ! It affects only Windows.

We Linux users are safe.