[Az-Geocaching] [OT] Security Implications with Web Based Greeting Cards

[Brian Cluff]

Greeting cards have always been about harvesting e-mail addresses.  Hardly 
anyone ever gives you something for nothing, and there are definatly not that 
many people trying to give out free greeting cards.  The company in the 
article is just doing the step in their scummy e-mail harvesting technique.

I know that I used to get about a spam a month till my grandmother started 
sending me tons and tons of web greeting cards.  Now I get dozens a day.  I 
long ago asked her never to send another greeting card to me and explained 
why, but once your address is on a mailing list... its ALWAYS on someone's 
mailing list.  I have e-mail boxes that havent even been valid for 4 or 5 
years (They send the sender a unknown user error message) and they still 
recieve spam on a regular basis.

Oh well,   I can only make sure that I ONLY give my address(es) to businesses 
that I know are good, and fake temporary addresses to people that I suspect I 
don't want to know my real address.

Brian Cluff
Team Snaptek

On Monday 18 November 2002 10:16 pm, Team Tierra Buena wrote:
> Off-topic, yes, but I think it's important to get the word out on this.
>
> Have you ever clicked on an End-User License Agreement without bothering
> to read it? Me, too, but after reading this article I'll never let one
> slip by again.
>
> Steve
> Team Tierra Buena
>
> 10/30/2002 Subject: Security Implications with Web Based
> 03:32 PM Greeting Cards
>
>
> Have you been receiving and sending a lot of Web based Greeting Cards?
> If
> you do, as a co-worker told me today that he sends them to a lot of
> people,
> you may want to read this article.
>
> * SNEAK ATTACK THROUGH A LICENSE AGREEMENT
>
> Have you ever received a Web-based greeting card from a friend or
> relative? They're common these days, and they seem to be taken for
> granted, in that people trust the intent of someone who might send
> them a greeting card. People like to be greeted with kindness, so
> they're inclined to look at and read the greeting card. It's one of
> the feel-good things that many people simply can't resist.
>
> Have you ever wondered why a company would spend its Internet
> resources delivering free greeting cards on behalf of people with whom
> it conducts no business otherwise? How does such an entity profit from
> those endeavors? What might its motives be?
>
> Last week, a user posted an interesting message to our HowTo for
> Security mailing list regarding one company that delivers Web-based
> greeting cards. That company, Permissioned Media, runs a Web site
> called FriendGreetings.com, which lets one person send another person
> an electronic greeting card. The friendly facilitation seems simple
> and harmless, but it has a rather insidious side.
>
> When you receive a greeting from FriendGreetings.com, the message says
> that someone sent you the greeting and that to read it, you must click
> a URL that takes you to the Web site hosting the greeting. When you
> click the URL, you're prompted to install an ActiveX control before
> you view the greeting. As the greeting-card recipient, you would
> probably assume that you must install the ActiveX control to view the
> greeting; however, that's not the case. Instead, FriendGreetings.com
> has designed the ActiveX control, complete with an End User License
> Agreement (EULA), to interact with your mail client software and
> harvest information about your email contacts. After the ActiveX
> control obtains your private contact list information, it sends a
> similar greeting card to everyone in your contact list, probably
> unbeknownst to you!
>
> If you took time to read the EULA from FriendGreetings.com, you'd
> discover that the EULA clearly states Permissioned Media's intention
> to do just that. A section of the EULA reads, "As part of the
> installation process, Permissioned Media will access your Microsoft
> Outlook contacts list and send an e-mail to persons on your contacts
> list inviting them to download FriendGreetings or related products."
> By accepting the EULA and installing the ActiveX control, you give the
> company permission to perform that activity.
>
> In essence, the greeting cards that FriendGreetings.com delivers
> resemble many worms that travel the Internet: They're parasitic,
> intrusive, devious, elusive, and most of all, probably unwanted. Even
> some antivirus vendors issued warnings about the greeting card last
> week. However, we can't completely blame FriendGreetings.com for its
> use because, although the company counts on most users' acceptance of
> the unread EULA, the EULA does spell out some of its intention. By
> agreeing to the EULA, users agree to the ActiveX control activity.
> Nevertheless, the lesson here should be obvious: When you encounter a
> EULA, don't take anything for granted. Read it word for word to
> understand exactly what you're accepting and think through what the
> consequences of acceptance might be.
>
> Permissioned Media bills itself as a "behavioral marketing network"
> with more than 100 clients that advertise online. The company also
> operates Cool-Downloads.com. You can read Permissioned Media's EULA at
> the URL below. Take note that it grants the company "the right to add
> additional features or functions to the version of PerMedia you
> install, or to add new applications to PerMedia, at any time." Yikes!
> http://permissionedmedia.com/license.htm
>
> If you've received a greeting card from FriendGreetings.com and
> installed the associated ActiveX control, you might want to remove its
> software from your system. To find out how, be sure to read the
> related news article, "Protect Your Contact List: Read the EULA!" in
> this newsletter.
> http://www.secadministrator.com/articles/index.cfm?articleid=27122
>
>
> Source: Windows & .NET Magazine Security UPDATE--brought to you by
> Security
> Administrator, a print newsletter bringing you practical, how-to
> articles about securing your Windows .NET Server, Windows 2000, and
> Windows NT systems. (Contributed by Mark Joseph Edwards, News Editor)