Phorm accused of making web browsing 'less stable'

Security experts have warned of the targeted-ad company's history, adding that its infrastructure increases the likelihood of successful DoS attacks against ISPs

Security experts have criticised targeted-ad company Phorm, claiming the nature of its infrastructure could increase the likelihood of successful denial-of-service attacks against its ISP customers.

Dr Richard Clayton, a security expert from the University of Cambridge, published a paper earlier this month detailing Phorm's infrastructure. Clayton found that part of Phorm's system involves mediating web-page requests between users and ISPs. A browser request is first sent via a switch to a machine on the ISP network, which then redirects the user to the Phorm Webwise server to have an anonymised cookie attached to it, allowing Phorm to serve targeted ads to the user.

In the process of attaching the cookie to the browser session, the request is bounced to the ISP machine three times. These request bounce-backs would magnify any denial-of-service attack, according to Clayton, and could also create incompatibilities with browser-security measures.

"Because they start with three redirections before users are led to the real site, browser heuristics could say that this was a dodgy site, which is unwise," said Clayton on Wednesday. "Also, by sending sufficient crafted packets to the [Phorm] web server, attackers would get more bang for their buck, and the net effect would be [that] the server would not resolve anyone to the ISP."

While Phorm could always just switch off its web server in the event of attack, said Clayton, he said the system makes browsing the internet "more complicated and less stable."

A spokesperson for Phorm denied on Thursday that users would experience any problems with the stability of their web browsing.

"We disagree that Phorm will downgrade the experience of the internet," the spokesperson told "From a commercial standpoint, it would be entirely stupid for us to downgrade the user experience, as ISPs buy in[to the service]."

Phorm was also criticised by security company F-Secure in a Tuesday blog post, which drew attention to Phorm's past work and reputation. Phorm was previously named 121Media, with a brand called "PeopleOnPage", the wrapper around the ad engine ContextPlus. F-Secure said that 121Media was responsible for developing pieces of adware, including Apropos. In the blog post, F-Secure described Apropos as containing "one of the most widespread, malicious rootkits of 2005".

On Thursday, Phorm denied that Apropos had contained a rootkit but admitted that it did contain code to hide itself from other pieces of adware. "Apropos wasn't hidden; users could uninstall it," said the company's spokesperson. "Competing pieces of adware would attempt to uninstall it, so [the code was hidden] to stop the effects of unscrupulous other adware. The company is not stealth-based."

The spokesperson added that Phorm had ceased trading as 121Media, as that brand had gained a reputation for serving spyware, but said that such a reputation was undeserved.

"We have never denied that we were in the adware business," the spokesperson wrote. "Such a business is involved in the legitimate bundling of ad-serving technology with free software applications, willingly and knowingly downloaded by users. It is the very fact that people were always unable to distinguish between legitimate adware and illegitimate spyware that caused us to do something unprecedented. As the only publicly traded adware company, listed on the London Stock Exchange with Fidelity and a series of other blue-chip shareholders, and the former chairman of Microsoft UK as our chairman, we unilaterally discontinued our entire revenue stream, concluding that the spyware association was inconsistent with our long-term goals."

More technical details of how Phorm systems work can be found in a paper by Richard Clayton.