SpywareInfo Home
February 5, 2003
An Open Letter To Bank Of America

Hello,

I write for spywareinfoforum.info and would like to ask for a comment on something.

Some of our readers have contacted us expressing concerns about certain parts of the Bank of America web site. On certain secure log-in pages on the web site, there is html and javascript code to load an image from Doubleclick.net, an internet advertising company. The image is not visible to the users eye and the javascript associated with it appears to be creating a random ID number. We have logged onto the site and verified that there is coding to load these images.

Doubleclick is an advertising company with a very bad record in consumer privacy practices. In fact, this company has been sued several times over and found to be violating the privacy of internet surfers. I was unable to find mention of Doubleclick anywhere on the BoA web site. I concentrated on the privacy policy section, so perhaps I overlooked it somewhere.

Here specifically is what I'd like to ask about.

Is the usage of images loaded from doubleclick servers disclosed anywhere on the BoA web site?
What is the purpose of loading the doubleclick images?
What information about the visitor to BoA is collected by doubleclick and to what use is that information put?
What information about the visitor to BoA is provided to doubleclick by Bank of America and to what use is that information put?

Thank you,

Mike Healan
http://www.spywareinfoforum.info/

The above is a letter that I wrote to Bank of America a couple of weeks ago in which I asked for an explanation for the presence of a Doubleclick web bug on a secure enrollment page. This letter has gone unanswered, therefore I am making it an open letter to the company.

The presence of this web bug on a secure customer page at a major bank is completely baffling. What could the purpose of it possibly be? With Doubleclick involved, it's probably nothing good.

Who is Doubleclick?

Doubleclick is one of largest advertising companies on the internet. If you've ever visited such sites as WindowsMedia.com or PCWorld.com, then you've almost certainly come across a Doubleclick advertisement. Most, if not all, advertisements from Doubleclick leave a cookie on your computer when loaded. If a cookie from Doubleclick is already present, then it will tell company servers which web site created it, letting the company accumulate a profile of your web browsing habits.

To many proponents
of online privacy,
Doubleclick is
The Great Satan...

In late 1999, Doubleclick purchased marketing research firm Abacus Direct in a merger worth over 1.7 billion US dollars. Doubleclick announced plans to combine Abacus's database of consumer profiles gathered offline with information that Doubleclick had gathered on the internet. This would have allowed the company to uniquely identify individuals whose browsers loaded Doubleclick advertisements on the internet.

A massive effort was organized by pro-privacy groups in an effort to halt the merger. The Center for Democracy and Technology coordinated an email campaign against Doubleclick investors and members of the Doubleclick network objecting to their association with the company. Thousands of complaints poured in from outraged consumers.

The Federal Trade Commission and the New York State Attorney-General's office both opened informal investigations into the company's activities. Michigan's Attorney-General filed a lawsuit claiming that Doubleclick had violated Michigan's Consumer Protection Act. This was in addition to six other lawsuits against Doubleclick, some of which attained class-action status.

In the face of this opposition, Doubleclick finally backed down from its plans to merge these two enormous databases. More information about this situation is available at http://news.com.com/2104-1023-237532.html

As you can see, Doubleclick has a very poor record when it comes to consumer privacy. To many people, Doubleclick's activities make it the poster child for abuse of internet technology. To many proponents of online privacy, Doubleclick is The Great Satan, the example that is always pointed at to show how badly one company can abuse the privacy of consumers.

Whether I think Doubleclick is evil or the very picture of virtue, I don't want them or any other company evesdropping while I log into my bank account online or sign up for some service. It defeats the purpose of having an encrypted connection if a third party is involved in the loading of the page. When that third party is a company whose cookies are detected as spyware by nearly every spyware/adware removal product on the market, that's reason enough for me to never again log into that bank account.

Where is this web bug?

Go to the Bank of America web site and click on "Online Bill Pay". It will ask you what state you are in. From there, click the "enroll" button. Then it takes you to a page located on a secure server. This means that the connection between you and the server is protected by 128 bit Secure Socket Layer encryption and that there are supposed to be no outside parties involved in the transactions between your browser and the secure web page.

On the bottom of that page there is a 1 pixel wide, 1 pixel high transparent graphic which is loaded from http://ad.doubleclick.net. In other words, a web bug. Normally a web bug will set a cookie, but uncharacteristically for Doubleclick, this web bug does not. The web bug is loaded from a secure server, so the normal browser warnings about a page that is not fully encrypted do not go off.

Below is the html and javascript coding used to load the web bug. Those who dabble in web development will see what is happening here. A javascript creates a large, random number, then calls the web bug from Doubleclick, with the random number appended to the URL. This number will be the unique identification number of this particular web bug.

<!-- Start of DoubleClick Spotlight Tag: Please do not remove-->
   <!-- Activity Name for this tag is:Enrollment page: CA -->
   <!-- Web site URL where tag should be placed: https://onlineca.bankofamerica.com/cgi-bin/ias/0/E/bofa/ibd/IAS/presentation/CAOnlineEnrollmentEntryPoint -->
   <!-- Creation Date:4/17/2002 -->
   <SCRIPT language="JavaScript">
   var axel = Math.random()+"";    var a = axel * 10000000000000;    document.write('<IMG SRC="https://ad.doubleclick.net/activity;src=746664;type=custo767;cat=enrol610;dcovd=c;ord='+ a + '?" WIDTH=1 HEIGHT=1 BORDER=0>');
   </script>
   <NOSCRIPT>
   <IMG SRC="https://ad.doubleclick.net/activity;src=746664;type=custo767;cat=enrol610;dcovd=c;ord=1?" WIDTH=1 HEIGHT=1 BORDER=0>
   </noscript>
   <!-- End of DoubleClick Spotlight Tag: Please do not remove-->

If you are using Internet Explorer version 6, you can see that the bug is loaded by clicking Privacy Report on the view menu. Scroll to the bottom of the box and you will see it.

Doubleclick Bank of America web bug

What does Bank of America say about this web bug?

Not one word is printed anywhere that I could find on the BoA web site which mentions, or even hints at the existence or usage of this web bug. Nowhere does Bank of America disclose a relationship with Doubleclick. In fact, the information on several pages claim that third party marketing companies would have no access to you on their web site. And yet, right there on this secure, encrypted sign-up page we find exactly what BoA says it doesn't allow.

http://www.bankofamerica.com/onlinebanking/index.cfm?template=guarantee
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_cnsmr.cfm
http://www.bankofamerica.com/privacy/index.cfm?template=privacysecur_onlin.cfm

Bank of America has some explaining to do. They have an undisclosed relationship with a company which few people trust, a company which is in the business of gathering information about web site visitors. This is not something which they can or should keep quiet about. If there is a simple, innocent explanation for these web bugs, let's hear it. I, personally, want an answer, and I'm sure most of you do as well.

Is this your bank? You have the right to know why a large marketing company is involved when you access secure sign-up pages at your bank. I suggest everyone who uses this bank's services ask them about their relationship with Doubleclick. The contact form for questions relating to privacy issues is located at https://www.bankofamerica.com/contact/?lob=privacy. Please note that they may refuse to allow you to access the site if you are using the Opera web browser. In this case, tap the F12 button and set Opera to report itself as MSIE (Internet Explorer).

Let's hope that some answers are forthcoming soon. I'll keep you updated if I anything new about this comes in.

 

Cookies. What they are, how they are used, and how to deal with them

Permlink | Top

Since I'm on the subject of Doubleclick, I thought I'd include a section on cookies for this issue. As I said earlier, Doubleclick advertisements set cookies which they use to track you across different web sites. Clearly that is a privacy concern, so I'm going to tell you how to deal with cookies. This information is taken from our cookies article located at http://www.spywareinfoforum.info/articles/cookies/.

What are cookies?

Cookies are text files stored on your computer that web sites use to keep track of info their site requires. This can be as simple as a placeholder that indicates for you what you have already seen on that page (usually by changing the text color) or remembers your preferences. These cookies have no contact with anyone since the info they contain is meant solely for your benefit.

However, some companies use those cookies to track where you have been and what you have done. Not only on the website you first got the cookie but any you go to thereafter with the same info gathering. The difference depends on whether the cookie is first party or a third party cookie. Third party cookies are set not by the server sending you the web page, but rather a server located elsewhere that contains data being loaded on the page you are viewing, as in the case of most advertising banners.

This is from the readme.txt of a popular cookie blocker product:
"Most people who are on the net these days are probably familiar with what a cookie is - it's basically a small piece of information related to you that a website stores on your computer. This in and of itself is nothing bad, the vast majority of the websites out there use this simply to track when the last time you came was (so they can show you what's new), or your login information so you don't need to login again and again - great time savers! Of course, I said most sites, but not all... There are many companies that try to cross-reference sites that you go to, to help build customer profiles so they can target advertising at you, provide clients with buying patterns, and a whole lot more."

How to control your cookies

It is a simple matter to disallow cookies from servers not located on the site that you are currently loading.

In Mozilla 0.9.6 and higher and Netscape 6.x, go to Edit > Preferences. In the dialog go to Privacy & Security > Cookies and select "Enable cookies for the originating web site only". We are uncertain about older versions of these browsers. (example)

In Internet Explorer 6.x, go to Tools > Internet Options. Click the privacy tab and press the "Advanced" button. Check "Override automatic cookie handling" and "Block" under Third-party cookies. Your setting for First-party cookies is up to you, but we suggest selecting "Prompt" as well as "Always allow session cookies". Be warned, the prompts will quickly drive you nuts. See the next item. (example)

Internet Explorer 5.x and lower does not have the ability to block third party cookies. An excellent tool for controlling cookies that is compatible with IE 5.x and IE 6.x is AnalogX's Cookie Wall. CookieWall will ask you just once what to do with a particular cookie. It will apply that decision every time it encounters that cookie in the future. (example)

Download CookieWall at http://www.analogx.com/contents/download/network/cookie.htm.

In the Opera browser, these settings are located in File > Preferences > Privacy Preferences. In the second drop box under Cookies, set it to Do Not Accept Third Party Cookies. (example)

 

Ad-aware 6 (free version) Released

Permlink | Top

The long wait is finally over. Lavasoft has released the freeware version of Ad-aware 6. There are now three versions of Ad-aware, the free Standard version, the $26.95 Plus version which includes a realtime spyware monitor, and the $39.95 Pro version which can be used to scan network drives.

I'll be playing with it over the next week to see how it performs. I'll also get a copy of the Plus version and see how it compares to the Standard version. I'll also compare it against what I consider to be the best in the anti-spyware biz, Spybot S&D.

For a complete and updated list of mirror sites, please see the following thread at Lavasoft's support forums:
http://www.lavasoftsupport.com/index.php?act=ST&f=1&t=3222

Scot Finnie published his own review of the Plus version this past Monday. Scot gave AAW Plus pretty high marks. You can read his review at http://www.scotsnewsletter.com/39.htm#review1. While you're there, check out the link of the week. This week's link of the week happens to be our friends at Counterexploition.

 

Been Scammed By A Dialer?

Permlink | Top

I'd like to ask for a little help with something. We are asking for people to post a brief statement at the forums about their experience with dialer programs.

A dialer is a small program which disconnects your dialup modem and uses it to make long distance calls to foreign countries. Usually this is found on pornographic or warez web sites and supposedly allows access to special adult networks. The company responsible for the dialer rakes in the long distance fees.

These programs are installed by ActiveX drive-by download or by disguising themselves as picture or movie files. You go to a web site and get bombarded by pop ups, and the next thing you know a dialer is installed. Once installed, the dialer will create registry entries that load it when you restart your PC. When it dials up, it will turn off the sound of your modem so that you are not alerted by the sound. Most people don't have a clue it's there until they get a phone bill for hundreds of dollars.

So far, this dispicable practice is more or less legal. I would like to change this. What we need is for everyone to make a brief post describing when they were infected with the dialer program and how much money it cost them. When enough people have posted about being victimized by these programs, I'll start pointing some lawmakers at the page so they will see that they can see what a huge problem it is.

The address for the post is http://www.spywareinfoforum.info/rd/dialers/. I'm going to be converting from the current bulletin board software to something else, so the full address won't work, but this shorter address will always lead to the correct post. There is no registration needed to post there.

Please post this or link to it wherever you can. I really want to get the word out about it and try to get it stopped. Thanks.

http://www.spywareinfoforum.info/rd/dialers/
http://www.spywareinfoforum.info/newsletter/archives/feb-2003/5.php#dialers

 

Turn The Tables On Messenger Spammers

Permlink | Top

Something occurred to me a few weeks ago while a friend of mine was griping about messenger spam. If you've ever been online and had a small advertisement pop up in a window with Messenger Service in the title bar, then you've been a victim of a messenger spammer. There are two ways to get rid of these ads, block the port the service uses or turn off the messaging service entirely.

If you need to leave the service running, block port 135 in your firewall. For help with doing this in your specific firewall, please start a topic in the firewalls forum at our message boards and ask how to do that.

If you can't block that port for some reason or would prefer to completely disable the service, follow these directions.

For Windows 2000 and XP

  • Go to start and click Run
  • Type services.msc
  • Double-click on Messenger.
  • In the Messenger Properties window, select Stop, then choose Disable as the Startup Type.
  • Click OK.

For Windows 95, 98, and ME

  • Under Control Panel, select Add/Remove.
  • Select Windows Setup.
  • Select System Tools.
  • Click Details.
  • Uncheck WinPopUp.
  • Click OK.

The idea which I had was to build a program which would block messenger spam. There are already a few programs which do this. Even Panicware's pop-up stopper now blocks this annoyance. However, I want to take this a step further than just passively blocking the spammer. I want to actively strike back at the spammers who are sending these annoying messages.

You can't spam an email spammer because email spammers fake their return addresses. The best you can do is get their IP address and complain to their service provider. On the other hand, you can give a messenger spammer a taste of his own medicine. In order to send out his unwanted garbage, a spammer must have the messenger service enabled. In other words, he is as vulnerable to messenger spam as you are.

This program that I would like to have built would not only block the spam, but it would also send a "bounce" back to the spammer. By this I mean that it would send a short message to the spammer's IP address using the same messenger protocol. "Your messenger spam was blocked by <program's name>. Your IP and spam message have been logged and forwarded to your service provider's abuse address".

Now imagine if thousands of people run this program. The spammer begins to send out his messages and hundreds of little messenger dialog boxes suddenly pop up in his face, eat up all his RAM, and crash his computer. As a nice bonus, no one else gets spammed while the scumbag is recovering from a blue screen. Can you see why I like this idea? >:)

The best part is that this is perfectly legal. All you are doing is sending a single message back to the spammer in reply to their message to you. The crash happens when thousands of people send back a reply. Think of it as a self-induced denial of service attack.

Unfortunately, I'm not a programmer. I can barely write a decent batch file; you can forget about anything more complicated than that. If any of you coders out there would like to do the world a favor and write this program or make suggestions, please take a look at this thread at the message boards. Don't email suggestions to me, since I wouldn't know what to do with them.

 

Security Warnings

Permlink | Top

GreyMagic Security Research has published five new advisories on February 4, specifying severe flaws in the new version of the Opera web browser, which was released just last week.

Three of the vulnerabilities are rated critical, allowing full read access to the user's file system, including the ability to list contents of directories, read files, and access emails among other things. The remaining vulnerabilities are not as critical. Opera exposes sensitive private information about the user by making it possible for a web site to access URLs that the user had last visited.

Opera Software was notified of the security vulnerabilities late Friday, January 31 by GreyMagic. In an incredible display of callous disregard for the safety of web surfers using the new Opera browser (myself included), GreyMagic refused to hold off publishing the full and complete details of these security vulnerabilities to allow Opera time to fix them. I will not link to GreyMagic's web site because they have published instructions on how to exploit these vulnerabilities.

I understand the need to make security vulnerabilities known to the public. I also understand that some companies like build their reputations at the expense of others. As a consequence of this irresponsible action, any web surfers using Opera 7 are currently at risk of falling victim to these exploits. If Opera Software were to take legal action against GreyMagic in this matter, I for one would wholeheartedly support it.

Opera software has released new builds, labeled version 7.01. You can download the version with java here, and the version without java here. It is very strongly recommended that you update immediately. Please pass this information along to anyone you know who uses the Opera browser.

More information:

http://my.opera.com/forums/showthread.php?postid=64110
http://www.internetnews.com/dev-news/article.php/1578931
http://theregister.co.uk/content/55/29177.html
http://www.pcworld.com/news/article/0,aid,109192,00.asp

 

Permlink | Top

We've been contacted by Gladiator Anti-virus with a warning that a script at www.edonkey.com is installing a trojan via activex. This web site is not the web site of the eDonkey peer to peer client. The "official" web site for eDonkey is http://www.edonkey2000.com/.

Apparently this "trojan" is yet another version of C2Media's lop.com-style software. Going to the web site in question causes a javascript to redirect you to you a file called MP3_Plugin.exe sitting on that server, and an activex script installs it if you are using Internet Explorer with low security settings.

As always, make sure your internet security settings disable or at least prompt for all activex options. Otherwise you could end up with such things as lop.com, Xupiter, Gator, Comet Cursor, etc.

More info:

http://www.brain-pro.de/Seiten/advisory/advisor1.htm (In German. Click here for bad English translation)
http://www.spywareinfoforum.info/yabbse/index.php?board=6;action=display;threadid=3434
http://forum.gladiator-antivirus.com/index.php?s=&act=ST&f=10&t=1536&st=0

 

First Annual Chatroom Stats

Permlink | Top

For those who didn't know already, SpywareInfo has an IRC chat room. I'm almost always in there, and I'm also a moderator for Lockergnome's chat room as well as several other chat rooms (yes, I'm an IRC junkie).

Some pretty funny stuff happens in there, all of which is logged by my friend Track (not his real name) and compiled into a stats page. The first annual stats are now available for perusal. These are the combined channel stats for all of 2002, and there's some pretty hilarious stuff there. Be warned, the chat room is not a place for kids, and there is probably some foul language displayed among the stats.

The normal stats can be found at http://www.officialstats.com/spyware/. The chat room itself can be loaded in a java applet at http://www.spywareinfoforum.info/chat.html or with an IRC client at irc.wyldryde.net #spyware. If you have mIRC, you can just click here.

Be aware that from time to time it is necessary to kick someone out of the chat room and ban their IP address. In some cases we have to ban whole ISP's. If you get a message saying your address is banned, then you will not be able to access the chat room.

 

Ramble

Permlink | Top

This issue is already way too long and my arm hurts from all the typing, so I'll make this quick. You'll have to pardon the typos this time. I'm too tired to look for them (not that I ever catch them all anyway).

Last week I said that I was going to be on TechTV. Unfortunately, the guy never called back so I wasn't on the show. My TV career has gone down in flames before it even began :'(

I'm still going to move to that faster, less crowded server I mentioned though. The day I expected to be on TV, an article about Xupiter came out in Wired News in which I was quoted. In this article, there was a link to a colossal thread at my message boards about Xupiter. This article was posted on the front page of Slashdot, the link right along with it. All in all, about 15,000 new visitors hit the message boards and trampled the server right into the ground. It was so bad that I had to shut down the forums to take the strain off the server.

The next day, the BBC published a similar article about Xupiter which also linked to my site (though thankfully not to my message boards). I need to be on that newer, more expensive server. To all of you who sent PayPal donations in response to my pitiful plea for cash, thank you very much. You people rock.

Since there is no rush now, I'll take a little longer to move over to the new server. It has dawned on me that when I move, every single page will stop working right. I use PHP scripting to make updating the site faster and quicker. Unfortunately, this means that the paths to some of the external PHP files I link to will be invalid. I need to fix all that before try to move the site. Sometime this month I hope to be on that new server. I'll keep you updated.

 

Blah Blah Blah

Permlink | Top

Linking/Quoting Guidelines

I don't mind people quoting these newsletters on message boards, personal blogs, and newsgroups. However, I ask that anyone doing so link to the online version of whatever they're quoting. At the top of each section is a link to the permanent location of the newsletter with an anchor tag that brings the browser right to that section. Please link either to the page or to the specific anchor. If quoting the lead section, link to the page itself.

I also ask that you quote no more than one section at the time. This is copyrighted material, and I do not authorize anyone to copy the entire newsletter anywhere. Link to the page instead. If I find an entire issue of my newsletter on your bulletin board, I will be contacting you about it, so save me the trouble and replace it with a link or remove it please.

If you want to publish something from SpywareInfo on your web site, please contact me for permission first. Emailed permission is required before any material from SpywareInfo can be republished elsewhere (message boards, personal blogs, newsgroups excluded).

Subscription Management

There really is no management. If you want off this list, click on the link all the way at the bottom of this newsletter. That will remove your address. If you want to change your subscribed address, unsubscribe the current address, then subscribe the new one.

If you're reading this online and want to get on the list, enter your address below and press the "Subscribe" button. You will receive emailed instructions for confirming your subscription request. Signing up an address that doesn't belong to you will result in my beating you with a tire iron.


Be aware that most web email services screw up the style sheet used for this newsletter, and that Hotmail strips it off entirely. One web based email service which seems to have no problem with the newsletter is MyWay.com. Also be aware that this newsletter tends to set off spam filters. I refuse to modify it to pass those filters because that's not my problem. I could care less if a spam filter doesn't like the newsletter. Check with your email provider to see if they filter your email. If they do, see if you can have them whitelist the newsletter. The address the newsletter comes from is admin@spywareinfoforum.info.

Do not sign up an address which uses an auto-reply of any sort. This specifically includes "out-of-office" auto replies. The newsletter goes out in the middle of the night, so obviously you will not be in the office and I don't want to know about it from 500 different people. Also do not sign up an address which requires I answer a question, input some access code, click a special link, or any other such nonsense. If you believe the address you wish to use will be spammed or sold by me, don't subscribe. Just read it online. For more information, read SpywareInfo's privacy policy.

Replying and forwarding

If you wish to reply to this newsletter, please keep the following in mind.

One, I get a godawful amount of email each day. On top of that is the spam I get which various people have been kind enough to sign me up for. For these reasons, I may or may not reply to your email depending on how grouchy I am when I read it. I also much prefer dealing with people at the message boards.

Two, if you do reply to this, please do not include the body of the newsletter itself. Violators will have their email address sold to lop.com (kidding).

Three, technical support is not provided through email. I used to do this, but I no longer can. Please use the message boards for all technical assistance. Thank you.

Please do not forward this newsletter to anyone. It is a large email full of HTML and advertisements. To some people, getting an email like this one forwarded to them would be considered spam. There is an anchor link at the top of each section which links directly to that item online. The newsletter itself will always be located at http://www.spywareinfoforum.info/newlsetter/.

Until next time.....

 

SUBSCRIBE
TO THE
SPYWARE WEEKLY!

Email Address

Support SpywareInfo with PayPal or Amazon - it's fast, free and secure!
Support SpywareInfo

Tech Tips from Lockergnome.com
GnomeTomes

Privacy news
Privacy News


All material on this web site is copyrighted
© 2001-2003 by Mike Healan. ® All rights reserved.