Do you read the EULAs?
Have you ever received a Web-based greeting card from a friend or relative? They're common these days, and they seem to be taken for granted, in that people trust the intent of someone who might send them a greeting card. People like to be greeted with kindness, so they're inclined to look at and read the greeting card. It's one of the feel-good things that many people simply can't resist.
Have you ever wondered why a company would spend its Internet resources delivering free greeting cards on behalf of people with whom it conducts no business otherwise? How does such an entity profit from those endeavors? What might its motives be?
Last week, a user posted an interesting message to our HowTo for Security mailing list regarding one company that delivers Web-based greeting cards. That company, Permissioned Media, runs a Web site called FriendGreetings.com, which lets one person send another person an electronic greeting card. The friendly facilitation seems simple and harmless, but it has a rather insidious side.
When you receive a greeting from FriendGreetings.com, the message says that someone sent you the greeting and that to read it, you must click a URL that takes you to the Web site hosting the greeting. When you click the URL, you're prompted to install an ActiveX control before you view the greeting. As the greeting-card recipient, you would probably assume that you must install the ActiveX control to view the greeting; however, that's not the case. Instead, FriendGreetings.com has designed the ActiveX control, complete with an End User License Agreement (EULA), to interact with your mail client software and harvest information about your email contacts. After the ActiveX control obtains your private contact list information, it sends a similar greeting card to everyone in your contact list, probably unbeknownst to you!
If you took time to read the EULA from FriendGreetings.com, you'd discover that the EULA clearly states Permissioned Media's intention to do just that. A section of the EULA reads, "As part of the installation process, Permissioned Media will access your Microsoft Outlook contacts list and send an e-mail to persons on your contacts list inviting them to download FriendGreetings or related products." By accepting the EULA and installing the ActiveX control, you give the company permission to perform that activity.
In essence, the greeting cards that FriendGreetings.com delivers resemble many worms that travel the Internet: They're parasitic, intrusive, devious, elusive, and most of all, probably unwanted. Even some antivirus vendors issued warnings about the greeting card last week. However, we can't completely blame FriendGreetings.com for its use because, although the company counts on most users' acceptance of the unread EULA, the EULA does spell out some of its intention. By agreeing to the EULA, users agree to the ActiveX control activity. Nevertheless, the lesson here should be obvious: When you encounter a EULA, don't take anything for granted. Read it word for word to understand exactly what you're accepting and think through what the consequences of acceptance might be.
Permissioned Media bills itself as a "behavioral marketing network" with more than 100 clients that advertise online. The company also operates Cool-Downloads.com. Read Permissioned Media's EULA and note that it grants the company "the right to add additional features or functions to the version of PerMedia you install, or to add new applications to PerMedia, at any time." Yikes!
If you've received a greeting card from FriendGreetings.com and installed the associated ActiveX control, you might want to remove its software from your system. To find out how, be sure to read the related news article, "Protect Your Contact List: Read the EULA!" in this newsletter.
And if you're a security administrator for your network, consider blocking FriendGreetings.com to help ensure that none of your network users inadvertently compromise private contact information by accepting a greeting card from that Web site.