Spyware tricks part II: follow the money trail
Yesterday I wrote about my experience with spyware installations and noted that spyware pushers are using more devious methods to foist their software on users and making it increasingly difficult to remove. I asked what is spyware about. The answer: money. Let's examine the money trail. Ben Edelman, leading spyware researcher and Harvard law school graduate, has done extensive research on the subject. Before delving into Ben's work, however, it must be noted that the money trail is complex and often convoluted. At the CNET Anti-Spyware workshop in May, Ari Schwartz of the Center for Democracy & Technology (CDT) spoke about the economics of adware and spyware. Ari also testified before the Senate Committee on Commerce, Science , and Transportation on May 11. The testimony, which can be viewed here (PDF), includes charts of the adware business model in theory, in practice and a real world case. Sanford Wallace's company Seismic Entertainment. Ari noted that "Sanford Wallace, the spyware purveyor [...] brought in at least $1.5 million from browser hijacking and deceptive software downloads in 2003 and 2004." and that spyware and adware are a "many million dollar industry"(pg. 2). Ari discusses the "long list of companies involved in the distribution chain" and "lengthy complex chain of affiliates" as shown in the chart "A Real World Example".
Who is making money on adware and spyware? Ben Edelman has a number of posts that help answer the question. "Who profits from security holes?", "Investors Supporting Spyware", "Advertisers Supporting eXact Advertising", "Intermediaries' Role in the Spyware Mess", How Yahoo and Expedia Fund Spyware and "How Affiliate Programs Fund Spyware". Some of the advertisers' names might surprise you - Dell, Gateway. Chase, SBC, Netlfix and more. Affiliate networks Commission Junction and Linkshare are mentioned. I couldn't begin to estimate the number of affiliates in the adware/spyware business but it must be huge.
Many affiliate programs are "pay-per-install", meaning the affiliate gets paid a few cents for each installation of the software. There's a good discussion on pay-per-install at BroadbandReports.com's security forum. One result of the pay-per-install model is that unscrupulous affiliates will use any means possible to install junkware on users' computers and they don't care how devastating the effects are because they got their few cents. That few cents thousands of times over adds up quickly. Here's an example of one person seeking pay per install affiliate programs. Note that one responder states his opinion that "There are *very* few companies doing this kind of pay per install program in a legit fashion. Most are purely spyware and hijackers." At least one adware company, WhenU, has brought all their distribution in-house. IMO, the internet would be a better, safer place if more companies followed suit.
At any rate, I hope that gives readers a glimpse into the motivation behind spyware/adware and how money is made. In part III I'll discuss why spyware pushers are becoming more devious and how users can help stop them.