SAN JOSE, Calif. (AP) — Online pornography hunters’ Internet adventures are already fraught with danger from malicious code many porn sites use to commandeer visitors’ machines or steal personal data.
Now comes a scheme some researchers say amounts to extortion: One site’s threat to disable visitors’ computers with relentless pop-up ads if they don’t pay for a subscription they were automatically signed up for after a free trial.
The threats, reported this week by researchers at security vendor McAfee Inc.’s Avert Labs, affect people who visit the Web site [sexxxpassport.com] and download software to access a free three-day trial membership.
Visitors do get free access for three days, but the download includes code that then generates a stream of pop-up windows, when the user is online and offline, demanding payment of roughly $80 for 90 days’ worth of additional access.
The windows stay open up to 10 minutes and appear once a day. They appear on top of any open windows and restore to their original size if shrunk or moved, making them impossible to ignore. They also reappear if the computer is rebooted.
The site actually warns visitors they will be billed as full members — and lose full use of their computers if they don’t — unless they cancel the subscription within the trial period. But the warning appears in the full terms and conditions statement, which downloaders aren’t required to read.
Once the fees are paid, the software can be removed with a special file.
“What it appears they are doing is, in my humble opinion, a form of extortion based on the (usually correct) assumption that a person’s computer will be key to many other activities in their daily life,” McAfee researcher Seth Purdy wrote on the Avert Labs blog.
Here’s Purdy’s original posting from Avert Labs: Ok, having been doing this stuff for a while I’ve seen a fair amount of questionable practices. It takes something pretty unique to get my goat (antivirus researcher pun intended) at this point. That said, what I found Micro Bill Systems doing had my jaw hitting the desk.
Following up on a post to the Grok.org.uk [Full-Disclosure] mailing list, I did some research (and yes, it was legitimate reasearch!) into the billing method used by sexxxpassport.com. Micro Bill Systems (MBS) provides the billing used by the site, and the model is rather unconventional, to say the least.
Sexxxpassport offers a free three-day trial to their adult site. All that is required is download and execution of the “Authenticator” software. (Note: most images link to original resolution versions)
The full terms (all 11+ pages) are displayed below this when clicking the link (which consists of that entire underlined text block shown). However, the user is not required to actually view the terms at any point before proceeding. In combination with the fact that the most alarming sections of the Terms begin around page 5, it begs the question of how reasonable it is to assume the user will have fully absorbed and understood them.
Furthermore, by offering access to the services without requiring any billing information it seems very likely the content providers are banking (literally!) on people assuming they can just stop accessing the site before the trial ends, without needing to affirmatively cancel the service, and all will be well. However, that assumption is woefully incorrect.
After three days (in accordance with the Terms), it’s assumed the user wishes to subscribe, and they are charged for 90 days worth of access at “less than 45p per day” (so, somewhere around £40, or approximately $80). Then the popups start.
The frequency and persistence of the popups is actually outlined in the full Terms & Conditions. In fact, it is very explicit about what the MBS software is going to do, with the forcefullness of the billing display ramping up over a few weeks.
Possibly the most alarming item of the Terms & Conditions is in Section 12:
12.5 If You choose to ignore the payment reminders and do not pay the Membership Fee, You hereby understand and acknowledge that the prompt reminders may become more frequent and that You may lose the ability to use Your computer until You have submitted payment. The payment reminders will be active while your computer is online or offline.
Yes, you read that correctly. They are claiming the right to disrupt and potentially completely disable use of your computer as a means to compel payment. Depending on the current display resolution of the system the locked billing popup can indeed obscure things to the point of making it unusable. The popup window will automatically restore itself if resized or moved. It also carries the “always on top” attribute, so it will cover other desktop elements or application windows. Though the disruption is limited in duration it appears that the daily display count for the billing reminder is reset if the system is rebooted, and so could occur more than once per day.
There are also clauses in the Terms & Conditions where fees can pile up quickly.
Depending on how you interpret (a), I could see it adding £25 a day for each beyond the 7th that you have an outstanding bill. Not versed in accounting, I’m unclear precisely the circumstances where (b) and (c) are to be applied.
The closest analogy I’ve come up with: You’re offered a free trial of satellite radio for your car. Then, a week later, you go to leave for work one morning and find a boot on your car, immobilizing it until you pay up.
The most they should be able to do, in my view, is cut off access to their services and refer the individual to collections. What it appears they are doing is, in my humble opinion, a form of extortion based on the (usually correct) assumption that a person’s computer will be key to many other activities in their daily life. Also, possibly with inadvertent/passive blackmail as a bonus: someone not wanting other family members or a spouse to realize they’ve been surfing for pornography, or perhaps even more dire, someone to see it on a computer at their workplace, and becoming desperate to silence the persistent billing popups.
Faced with such a situation, it is probable that most “customers” would quickly pay to regain control of their systems and avoid possible embarrasment. I strongly suspect the powerful social engineering leverage created by this situation is not accidental.
Additional details are available at the Avert Labs Threat Library page for MicroBillSystems.