Written by Jart ArminUnwanted pop-up windows on behalf of third-party companies. Banners and hyperlinks begging to be clicked for confirmation. Interstitial pages that only disappear after ticking a box, or email addresses used as confirmation of enrollment in some travel club apparently required when buying an online airline ticket.
Sound familiar? Are these practices of cybercriminals? Well, not exactly, as these are the practices that some well-known and respected household-name companies have been legitimately using over recent years in a lucrative multibillion-dollar business.
Last week, the U.S. Senate Committee on Commerce, Science, and Transportation released a damning investigative report on "Aggressive Sales Tactics on the Internet and Their Impact on American Consumers."
This stunning report details the "clever ways" certain major corporations have been "manipulating consumers' buying habits so they can make a quick buck," according to committee chairman John D. (Jay) Rockefeller IV.
According to a press release on the report from the Democratic deputy communications director, the tactics of three companies in particular -- Affinion, Vertrue, and Webloyalty -- were shown to "exploit consumers' expectations about online shopping to trick them into joining their membership clubs."
Some companies use methods similar to those employed by online scammers and cybercriminals, such as utilizing adware and injected pages to entice customers into clicking on confirmation buttons. The companies may use the confirmation button from adverts promising "cash back rewards" as a go-ahead to pass along personal data obtained from customers, i.e., email address and payment card details, to third-party membership clubs. In turn, those clubs promptly set up automatic monthly fee withdrawals directly from the newly "enrolled" members.
In the majority of cases examined by the committee, the first time a "member" became aware of their club status was upon discovering a mystery charge on their card statement. This was without any recollection of joining a scheme and mostly without recognizing the name of the company withdrawing the money from their account.
The sums of money earned in revenue from these tactics are mind-blowing; a staggering 35 million online memberships have been instigated since 1999, with 4 million alone since June 2009; over 450 e-commerce Websites and retailers have partnered with these companies, raising their revenue to over $1.4 billion; 88 companies have earned over $1 million with one company.
A group of well-known corporations use Affinion, Vertrue, and Webloyalty -- e.g., Continental Airlines, US Air, VistaPrint, Orbitz, Priceline, and Pizza Hut, to name just a few.
Also last week, on the other side of the pond it was disclosed that U.K. service provider T-Mobile sold personal customer data for extra revenue without the permission of those involved.
The question surrounding personal data -- who should have access to it, and how it should be stored -- is an ongoing issue and not an easy one to solve. But revelations such as these are more than likely to be just the tip of the iceberg.
The Senate committee's report is welcome because it demonstrates that even though we rightly focus on cybercriminal activity as a priority, the online sales tactics and sales of personal data by well-known corporations and "ad networks" need to be scrutinized. If nothing else, the report may be the starting gun for a few class-action suits.
What we should find encouraging is that even though it has taken 10 years for the membership scam and illicit use of personal data to be even considered by the lawmakers, these issues are now being taken seriously -- at least in the U.S.
We have a hard enough job keeping cybercriminals at bay, without the added worry of not being able to trust Fortune 500 companies that we know and must interact with in our daily lives.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
No comments:
Post a Comment