The Plot To Hijack Your Computer
COVER STORY PODCAST
Consumers have strong opinions about Direct Revenue's software. "If I ever meet anyone from your company, I will kill you," a person who identified himself as James Chang said in an e-mail to Direct Revenue last summer. "I will f------ kill you and your families." Such sentiments aren't unusual. "You people are EVIL personified," Kevin Horton wrote around the same time. "I would like the four hours of my life back I have wasted trying to get your stupid uninvited software off my now crippled system."
Sifting through a stack of customer complaints in June, 2005, a Direct Revenue employee decided to tally the most frequently used words of aggression: "die" (103 times), "f------" (44), and "kill" (15). Douglas Kee, then Direct Revenue's chief of quality assurance (QA), ribbed colleagues in an e-mail that with all the death threats, it was a "good thing QA sits farthest away from the entrance."
According to angry consumers and the New York State Attorney General, Direct Revenue makes "spyware." These programs track where you go on the Internet and clutter your screen with annoying pop-up advertisements for everything from pornography to wireless phone plans. Spyware can get stuck in your computer's hard drive as you shop, chat, or download a song. It might arrive attached to that clever video you just nabbed at no charge. Web security company McAfee Inc. (MFE ) estimates that nearly three-quarters of all sites listed in response to Internet searches for popular phrases like "free screen savers" or "digital music" attempt to install some form of advertising software in visitors' computers. Once lodged there, spyware can sap a PC's processing power, slow its functioning, and even cause it to crash.
This explains the vitriol aimed at Direct Revenue. The company, located in a loft above a clothing boutique in New York's hip SoHo district, has been a pioneer in a seamy corner of the booming Net advertising industry. Although it is small by some corporate standards, having generated sales of about $100 million since its start in 2002, its programs have burrowed into nearly 100 million computers and produced billions of pop-up ads.
Direct Revenue's swift rise illustrates the intertwining of spyware and mainstream online marketing. The Web is the hottest game in advertising, but what's rarely acknowledged is the extent to which unsavory pop-ups boost the returns. Here's how it often works: Sellers of advertising, ranging from giant Yahoo! Inc. (YHOO ) to much smaller networks, recruit clients, tally the clicks their ads generate, and charge accordingly. But then Yahoo and the other advertising companies sign up partners that distribute the ads beyond their own sites in return for a fee, and those partners sign up other partners. Down the line, a big piece of the business winds up in the hands of outfits like Direct Revenue, which disseminate the ads as pop-ups and share revenue with their more mainstream partners. Some advertisers say their messages have appeared in pop-ups without their permission. Others seek out pop-ups, and Direct Revenue frequently sells ads directly to such advertisers.
Spyware rakes in an estimated $2 billion a year in revenue, or about 11% of all Internet ad business, says the research firm IT-Harvest. Direct Revenue's direct customers have included such giants as Delta Air Lines (DALRQ ) and Cingular Wireless. It has sold millions of dollars of advertising passed along by Yahoo. And Direct Revenue has received venture capital from the likes of Insight Venture Partners, a respected New York investment firm.
Many of those impressive ties have frayed or ripped apart recently as Direct Revenue has struggled to fend off a lawsuit filed in April by New York Attorney General Eliot Spitzer. The state court action alleges that Direct Revenue crossed a legal line by installing advertising programs in millions of computers without users' consent. Shining a light on the shadowy spyware trade, the suit asserts that the company violated New York civil laws against false advertising, computer tampering, and trespassing.
This article is based in part on more than 1,000 pages of Direct Revenue's internal e-mail and other documents included in court filings. BusinessWeek has reviewed additional documents and interviewed dozens of industry insiders, including 12 current and former Direct Revenue employees and executives.
The company denies any wrongdoing. In a filing in June, it calls the Spitzer suit "much ado about nothing" and defends its past practices as "commonplace" in the industry. It calls its programs "adware" and says it has notified consumers when putting the programs on their computers. It insists that some of the methods Spitzer assails "were long ago changed." And it argues that by accepting its ads, consumers get popular software applications free of charge that otherwise can cost up to $30 apiece.
In the wake of the litigation, Direct Revenue has shrunk in size, but it remains an important player on the spyware scene. Thousands of people still complain each month to Web security firms about new computer infections caused by Direct Revenue programs (although many users are baffled about what's causing the maladies). And a new generation of spyware purveyors of equal or greater potency is imitating Direct Revenue's strategies, infuriating customers, and threatening to taint the larger business of online advertising. Chances are you have some of their handiwork hidden within your hard drive right now.
Direct Revenue's origins trace the rise of what might politely be called one of the more freewheeling sectors of Internet commerce. The company's sales philosophy, according to current and former employees, was heavily shaped by Jesse Stein, a Wharton School-educated marketer whose successes before joining the company included selling VigRX, an herbal penile-enlargement supplement. VigRX may sound familiar because, to win customers, Stein inundated e-mail in-boxes with spam promoting the product. In 2003, when the ABC News (DIS ) 20/20 program identified what it said were the biggest online spammers, it featured VigRX and showed one of Stein's e-mails. He reveled in the notoriety. On his desk at Direct Revenue, Stein, now 36, kept a framed 20/20 screen shot of his VigRX spam, former colleagues say.
His eventual boss, Joshua Abram, came to online hawking from a different angle. His family has a rich history of public service. Abram's late father, Morris, was a civil rights activist in the 1960s who later served as president of Brandeis University and U.S. ambassador to the U.N. under President George H.W. Bush. Joshua's sister, Ruth, heads the Lower East Side Tenement Museum in New York.
In 1999 Joshua Abram helped start Dash.com, a benign precursor to later spyware operations. Dash attached an unobtrusive horizontal bar to the bottom of a computer user's Web browser. As the user moved around the Internet, Dash would note the sites being visited and offer relevant text ads inside the narrow bar. Dash went out of its way to ask users' permission to install the ad bar, and the company even shared its fees with consumers who made purchases. But Dash's tactful text ads drew relatively few clicks, and its fee-sharing became an administrative nightmare. As the Internet market imploded in 2001, Dash folded.
Abram, known for wearing stylish suits amid a sea of techie grunge, kept developing ad software with several colleagues. They joined a broad post-bust move toward treating customers with less respect. One of the new spyware variants he helped create was called VX2, which a former colleague and computer security professionals believe was named after the deadly, undetectable VX nerve agent. In 2002, Abram, a father of two and husband of a fashion-industry executive, started Direct Revenue. His co-founders were fellow Dash alumnus Daniel Kaufman and a pair of data-mining entrepreneurs from a company called Pipe9, Alan Murray and Rodney Hook. The next year, Direct Revenue did business with and then acquired Stein's online ad agency, forming a spyware powerhouse. Stein declined to comment. The four founders didn't respond to numerous inquiries.
By early 2004, Direct Revenue, with Abram as CEO, had settled into its SoHo loft, employing two dozen programmers and salespeople. Current and former staff members say the place had an informal, often cynical atmosphere. The unsophisticated computer users subjected to Direct Revenue's ads had a nickname among some staffers: "trailer cash."
Knowledgeable consumers can reduce the risk of spyware infection by using widely available security software and steering clear of free online goodies. Direct Revenue and its rivals -- companies with such names as eXact Advertising and Zango -- say they employ "user agreements" that notify individuals when they are about to download their software. But the agreements typically can be found only by clicking on links deep within separate legal agreements related to the online freebies. The documents tend to be lengthy and opaque. Large numbers of Internet users who lack adequate security software and fail to read the legalese make themselves vulnerable.
SPY VS. SPY
Once embedded in your hard drive, spyware communicates via the Internet with the company that produced it. The company's computer keeps track of your online meanderings and sends you pop-up ads relevant to the sites you visit. The travel-booking sites Travelocity (TSG ) and Priceline.com (PCLN ) have both been direct customers of Direct Revenue. People who picked up Direct Revenue spyware and then perused flights on Travelocity might find their screens obstructed by a pop-up for Priceline, or vice-versa. The travel sites say they stopped doing business with the company earlier this year.
Direct Revenue and other ad software creators struggle to balance an impulse to pump out waves of profitable pop-ups against the danger of enraging consumers who lose control of their computers. "Most of these companies can't overcome their desire to make the most money right away," says Sam Curry, vice-president for product management at Computer Associates International Inc. in Islandia, N.Y. (CA )
From early on, a small group of programmers at Direct Revenue focused on how to protect their employer's programs once they were lodged in a computer, current and former employees say. The team called itself Dark Arts after the term for evil magic in the Harry Potter series. One of the biggest threats Dark Arts addressed came from competing software. The presence of multiple spyware programs can so cripple a computer that no ads manage to get seen.
Dark Arts crafted software "torpedoes" that blasted rival spyware off computers' hard drives. Competitors aimed similar weapons back at Direct Revenue's software, but few could match the wizardry of Dark Arts. One adversary, Avenue Media, filed suit in federal court in Seattle in 2004, alleging that in a matter of days, Direct Revenue torpedoes had cut in half the number of people using one of Avenue Media's programs. The suit settled without money changing hands, according to an attorney for Avenue Media, which is based in Curaçao. "This is ad warfare," explains former Direct Revenue product manager Reza Khan. "Only the toughest and stickiest codes survive."
In light of the Dark Arts stratagems, Direct Revenue management in early 2004 procured from its lawyers a modified user agreement that would supposedly be shown to PC owners. Within the densely written seven-page document was a declaration that Direct Revenue "could remove, disable, or render inoperative other adware programs resident on your computer, which, in turn, may...have other adverse impacts on your computer."
Abram presented the new agreement to his troops with an impudence befitting the Dark Arts crew. "It's a lawyer-approved license to kill," the CEO said in a February, 2004, e-mail. He urged some restraint because at the time potential investors were examining the company: "I would think twice about going too aggressively on the offense during [due] diligence." But he added: "Obviously, if we find someone is slaughtering us in the interim, we should not wait to counter."
"It was like a big game of Dungeons & Dragons," a current Direct Revenue manager says, and it was becoming lucrative. An ad software shop generally charges advertisers up to a penny a day for each computer that showcases its ads. A company with access to 10 million computers can make about $100,000 a day. With its "install base" soaring to more than 20 million computers by late 2004, Direct Revenue's annual sales rose 450%, to $39 million. Its four founders took home a combined $23 million, with Abram enjoying the biggest share: $8.1 million.
This cash geyser drew investors' attention. Insight Venture Partners, which has among its advisers Robert E. Rubin, former Treasury Secretary and now chairman of the executive committee at Citigroup (C ), poured in $27 million, court filings show. Andrew J. Levander, a lawyer for Insight, says the firm's pre- investment due diligence "did not raise any issues concerning the lawfulness of Direct Revenue's disclosure and distribution practices." Rubin wasn't involved with the investment, Levander says. When Insight learns of complaints, he adds, it works with the company to address them.
Complaints were certainly not in short supply. "You have 24 hours to provide me with a removal tool for your piece of crap spyware program," Joe LoMoglio e-mailed the company in September, 2004. "Your pop-up ads popped up a few porn sites while my 6- and 9-year-old children were using the computer." Reached by e-mail, LoMoglio says the company "refused to respond."
As Direct Revenue surged in late 2004, its hyperactive sales force profited as well. Several top performers took home more than $300,000 apiece that year, current and former employees say, and a celebratory mood enveloped the fourth-floor ad-sales department. On Friday afternoons, employees opened bottles of beer, and Paul Nute, a top sales executive, occasionally blasted the pop song Everybody's Working for the Weekend.
Nute had a trademark line for corporate sales pitches, according to current and former sales employees. "It's like crack," he would say. "Once you try it, you'll keep coming back for more." Nute declined to comment.
By early 2005, Direct Revenue had notched deals with JPMorgan Chase, Delta, and the Internet phone company Vonage, according to former sales staffers and Direct Revenue documents. Cingular Wireless spent more than $100,000 a month at the peak of its relationship with Direct Revenue, current and former employees say. Direct Revenue put Cingular pop-ups in front of other phone companies' Web sites and news sites such as the one affiliated with tech magazine Wired. Vonage, meanwhile, was billed $110 for each customer that Direct Revenue delivered, according to a sales report from July, 2005. For that month, Direct Revenue billed Vonage for 287 new customers, or $31,570.
JPMorgan Chase confirms that it advertised with a Direct Revenue unit through the middle of last year, but says it was unaware of any spyware activity. Delta and Cingular declined to comment. Vonage didn't respond to inquiries.
NO MORE MR. NICE GUY
By mid-2005, Direct Revenue had grown to more than 100 employees, and its practices were drawing public notice. Bloggers, invoking the right to be free of uninvited ads, singled out Direct Revenue. Benjamin Edelman, a prominent Internet consultant and spyware foe in Cambridge, Mass., tried to shame advertisers away from Direct Revenue by displaying on his site the names of companies that appeared in Direct Revenue pop-ups. Jules Neuringer, owner of Portronix, a Brooklyn (N.Y.) computer-service firm, says that during this period about a dozen of his small-business clients complained about Direct Revenue spyware. Of these, he says he "was never able to bring an infected computer back to pristine operating condition."
Direct Revenue insiders knew they were alienating consumers and even made tentative moves to clean up their act, court filings show. But when the result was fewer people getting stuck with its software, Direct Revenue pulled back from reforms.
In early 2005 the company was bundling its products with a file-sharing program called Morpheus, which users could download onto their computers. Morpheus required that Direct Revenue make its software easy to spot in a computer's "Add/Remove" panel, which is the registry where a user can find most legitimate software and delete it. Direct Revenue agreed at first but after a few months noticed that thousands of new users it gained via Morpheus were quickly deleting the ad software. Kaufman, a co-founder of Direct Revenue, sent an e-mail to colleagues in February, 2005, saying the company should drop the Mr. Nice Guy routine. "We need to experiment with less user-friendly uninstall methodologies," he wrote. The distribution agreement with Morpheus ended within three months.
The same ambivalence was evident in April, 2005, when Direct Revenue released a concoction known as Aurora. The program clearly labeled ads as coming from the company, a gesture designed to build credibility. But Aurora had powerful features that fought off competing spyware and security programs. The company also raised the number of pop-ups it sent users to as many as 30 a day.
Disaster ensued, as Aurora paralyzed thousands of computers. Matt Oettinger, who ran media operations at Fastclick (VCLK ), an advertising network that bought ads from Direct Revenue, found his home PC afflicted by Aurora, e-mails in court filings show. In June he ordered all Fastclick ads disentangled from Aurora. Branko Krmpotic, the managing director of Technology Investment Capital Corp. (TICC) (TICC ), which had invested $6.7 million in Direct Revenue, also caught the Aurora bug and couldn't kill it, according to e-mails. Eventually, Direct Revenue had to send its customer support director to fix Krmpotic's machine. After receiving complaints about Aurora, Insight Venture, another major investor, told the company to remove Insight's name from the Direct Revenue Web site. Fastclick declined to comment; Krmpotic didn't return calls.
Even Aurora's creators fell victim as the program froze computers at Direct Revenue. One sales staffer, Judit Major, documented receiving more than 30 pop-up ads in one day, according to e-mails. Her computer crashed four times. "We are serving WAY TOO MANY pops per hour," wrote Chief Technology Officer Daniel Doman in a June e-mail to the company's brass. "If we overdo it, we will really drive users to get us the hell [off] their machine. We need to BACK OFF or we will kill our base."
By then consumer complaints were pouring in to Attorney General Spitzer's office. He filed suit in April, after his staff had hauled away 150 boxes of the company's e-mails. Spitzer alleges that he found numerous examples of Direct Revenue spyware downloaded with misleading user agreements or no disclosure at all. In many cases, the download was performed by a distributor on behalf of Direct Revenue, but company executives repeatedly conceded in e-mail that users were in the dark about how its programs got into their computers. This, Spitzer argues, amounts to illegal deception.
A Direct Revenue spokesman, Michael Spinney, says the company is "mystified" by Spitzer's allegations. It cleansed its practices more than nine months ago, Spinney says, and now puts its name on all its pop-up ads. It also now makes its software available for deletion in a computer's Add/Remove Programs registry and has limited its use of distributors. Before these changes, Spinney asserts, Direct Revenue employed practices common in its industry. He wouldn't comment on Spitzer's individual allegations.
The anti-spyware activists and computer security firms confirm that Direct Revenue has dropped its most destructive programs, such as Aurora. But they emphasize that the company continues to cause serious headaches. Tokyo's Trend Micro Inc. (TMIC ) offers an online service that scans customers' troubled computers. In April it identified Direct Revenue's spyware as the culprit in 9,400 computer scans. That's down from 14,000 in January, but it represents a substantial level of annoyance. "Direct Revenue is still on everyone's top 10" of reviled spyware companies, says Anthony Arrott, Trend Micro's spyware research manager.
Deborah Maradei-Ugel, a loan officer in Santa Clarita, Calif., says she receives more than 20 pop-ups a day on her home computer as a result of Direct Revenue spyware. She complained to the company, but removal instructions it sent her are impossible to follow, she says. Her machine frequently stalls and requires restarting. "You hit your computer," she fumes, "but it doesn't help."
The way Direct Revenue describes its software during the download process remains vague and misleading, Edelman and other critics say. The company now bundles ad programs with Kazaa, an online service offering music and other digital content. Kazaa gives users a choice between a $30 version of its program and a free version labeled "ad supported." But few ordinary consumers would understand that ad-supported means they get separate software from Direct Revenue that will monitor them online and serve a steady stream of pop-ups, Edelman says. Kazaa declined to comment.
Direct Revenue has lost business and reduced its headcount to a couple dozen employees. The four founders still own 55% of the company, according to Spitzer's filing, and Abram is still seen around the office in his sharp suits. But he no longer serves as CEO. Sales gurus Stein and Nute have moved on to another Internet venture. Many major companies, such as Cingular and Yahoo, have severed connections with Direct Revenue. But the ads of others, including Vonage, continue to appear in Direct Revenue pop-ups. Insight and TICC remain investors.
Among Direct Revenue's alumni, pride over technical cunning mingles with regret for exasperating so many computer users. After waffling on the issue during a long interview, one former Dark Arts wizard sighs and sums up his version of the company credo with an elegiac observation by abolitionist Frederick Douglass: "Find out just what any people will quietly submit to and you have found out the exact measure of injustice and wrong which will be imposed upon them."
By Ben Elgin, with Brian Grow