Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Quechup Viral Marketing Irks Members



 By: Lisa Vaas
2007-09-05
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: Social networking site Quechup's viral marketing looks to many members like spam.

Online networking site Quechup.com is infuriating would-be members by e-mailing their contacts without permission, turning the unwary into unintentional spammers.

"I inadvertently invited everyone in my Gmail contact [list] to join a lousy social network called Quechup," reads one apologetic message from a typically chagrined ex-Quechup member. "Please ignore that and please accept my apologies."

The problem is in Quechups "check for friends" form, which prompts users to see whether any of their friends are already using the site. After the user enters a password, however, the service then sends a message to all the contacts in the users Web-based e-mail accounts—such as Gmail, Hotmail or Yahoo—without first asking permission.

Other social networking sites such as Twitter and Facebook feature the ability to import contacts from online services, but Quechups decision to use those imported contacts for self-promotion has people steaming, particularly since the promotional e-mail looks as if it were sent by the Quechup user.

"Instead of saying, Hey, these folks are part of our network, do you want to invite them? they just went and mass-mailed all my contacts—over 400 people, some of whom havent heard from me in eons," said one ex-Quechup user whos an editor at eWEEK, headquartered in New York.

"Ive been online now for about 15 years, and still, Ive been had like a newbie," said another blogger. "I am frustrated, furious, whatever, but I can only expect anger, ridicule and a total loss of respect from colleagues, correspondents and friends."

Resource Library:
It makes people feel duped, but are Quechups actions illegal?

No, according to Chief Security Analyst Mark Sunner, for MessageLabs, based in Gloucester, England. Quechup may not be asking for permission to e-mail your contacts loudly, but it is in fact stating what it intends to do, he said.

"In terms of what theyre doing, its incredibly antisocial, and we take a dim view of this sort of activity. But unfortunately theyre covering themselves … buried in the small print," he told eWEEK. "When people subscribe, theyre giving permission, probably without realizing it, for these messages to be sent."

Quechups spoofing of e-mail origins, however, might just well cross that fine blue line, at least in the European Union. MessageLabs Senior Analyst Paul Wood noted that the practice is addressed in article 13 of a European Commission directive on privacy and electronic communication.

Not that it matters for any practical purpose, given that the directive verges on unenforceable. "The use of false sender information in the SMTP headers is prohibited, but impossible to enforce in practice for ISPs, for example," Wood said. The SMTP protocol, in fact, doesnt enforce any controls over the insertion of anything in the "from" field of an e-mail. Besides, Wood said, the directive also ignores the issue of opt-in vs. opt-out, leaving it up to each country to determine.

Quechup isnt alone in disguising the origin of its marketing mail, at any rate. Flixster, a service that allows users to share movie ratings with friends, also commandeers address books and sends out invitations to join that purportedly come from a given member. Flixster is even trickier with its viral marketing, at one point presenting users with a message saying that after they sign in to their e-mail accounts, theyll be given the ability to select which contacts to invite.

"Even though they make you feel as if you have complete control over the process by telling you On the next page you will be able to select whom to invite, they already have your contacts by that point," according to an article by the Institute for Spam and Internet Public Policy, a company that markets an e-mail senders accreditation service, based in Sunnyvale, Calif.

Regardless of whether the actions of companies like Quechup and Flixster are legal, the fracas is a stark reminder of security laxness. First, it shows that many are not reading user agreements before signing up for services that require personal information. Second, people are freely giving away personal information that can be used for phishing or identity fraud.

"It started with greeting-card scams," Sunner said. "Its not localized to this [Quechup episode]. Its a whole issue with user license agreements and what people can be potentially, unwittingly signing up for. Very rarely do people read that stuff nowadays. Its kind of a loophole organizations like this are exploiting. People … just click and accept, and they dont really take stock of whats going on."

Click here to read about A-Space, a social network for spies.

The issues created by social networking have extended beyond questions of lost productivity in the corporate world: Perhaps a bigger problem now is the amount of information people give away at the sites and willingly keep up to date.

"Its potentially a goldmine for the bad guys," Sunner said. "It allows attacks to be much more targeted."

Indeed, its easy to grab personal information from Facebook and combine it with professional information from LinkedIn, for example, for "spear-phishing" attacks: i.e., targeted phishing attempts that reference people by full name and sometimes drop other bits of relevant information, such as addresses, titles or even colleagues names.

"It begs the question, Where are they getting all this?" Sunner said.

"Companies should be aware of keying in data about people into these sites [like Facebook]," Sunner said. "Including sites like LinkedIn. Combine the two, and you can build up a pretty accurate profile of what a persons personal data is, and their employment history. [You can use that to] hijack an identity or make a very targeted attack. We have made interceptions of targeted attacks which seem to be using data in this way, including full name and job title."

Editors Note: This story was updated to include Paul Woods input on the legality of spoofing in Europe.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Quechup Viral Marketing Irks Members
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r8s;iW1ŋKm)XTFh)ئHI٥8/''7oВ/劲%L!H@ggOD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|b(CѺYQy_IږyH6EGJ;ߣ*C7 ݩx8/DeO؀HYɼM"h4"j>wn3 w23X]~D4ڮq 8]b'*#O^3jc㥨H aP`\ 9t} ^- G&lw"QcO$ӡq̢JK^tf>D>8z v v}jJ73ҧ }KH;R@}ky>5I i1E 94cT$iy8DrH n>, шj%5O?I܃N8CYnհ}= :ԍ۱|$ .j.9b&ԃ P2zhN4,2QȲnMwͰ-P6CMTjR?t~-trf_-TeW4鯷F}K\(U0> n0up;\Jz𺮕}u=;yؼ} _`d}#1*% ZJ4_::&N{] xZ^ Kj%ɥ~hY̞o fV҈ 'UUX:dji_Wם^gGם)wb٘XB ji@U$\]FHwAբsyҽ59i{H ݙOtHM Wh:s0+No7#?&w"rVJze_R "1t=jIo]}<:$7cY>韐/ !}_w nr@ i/],KŗG)LY4C! ,mdʱ(|ǺrNd9AcE'}6kiBuV!`JC̺kR$9(ȟk4R\ 9jbsvfM)o fzCUCZ9nVĨ9USAEI7CD r23yB(&PHQ>Ly%Ku}7p@W-}rlNVڒ1Wb{gH .Cuv}BzW^?]{68^%glh|X.B2iK1QW5MGVOL_@r /*r[h 2ud8İ1nґ>âx_AAӧEz|JMk6m uI=XC#ʠ:ڴ{\gV4!>&-a^i1[W <ۋJ!PIxZSx&z$t@ h&rkI7.[A0? ; O`r]ɝ5E0ݻCi`y1yj =*~3`=w}   lWk 6G~[>l03գ q0y zODȧ$D!"-i]NP@Ar< -,rr4|?#!bRN[ T6ݞH:w@TVh&RأXB ^X/E_R2әJ2j2klƪń(VFNL1|0Vn)1}Ⱥ3'Q(JЧVȅB@s@MqN!W3pPS@ bN4(Nu=(U+AY@*# k Bo`"12l3u/.ztwݱM% i4Q.)J5E` L] T<ty[= F:6. 1H#60/`k .^@>%%@#P0"AcK鬡cKU1SOm{hCy-X\(Tt a"!1}ڣ>nssQ*/s7+ f)T;fz^*k 6UUR;,Z {}|8=ehLQ8pG#}y _PM85hN?+zCG>snA.}O>zN¢ ',h'^ː]-'LiG ã2R1P^Cs2]((:H3 |jVQ=/YQfca "g+0fjנj@[}l)tdx8)ѡ,Hr]TՑnR UtT#  X]QiRZ=-bhsֽm?O᧜Z1Ӂ P}̹5u4X\Y(``!> ~5F8b&aj4X[ ↪%}g{/R68F2<"C8\vl:ZFB -Қ8k*S,!$*saS(j L:H$ 3YˡYF 3_5^u, ς24A̘5YVRFW}X`"-Yı Ebbbק8o,yJu8e3 S`e3*~~hKJ]ad|?T\S=@V:}ݤ1p Nu4 H҇>rcO NnZ UrTS+JJЛ'aC.'%/&ha~֒%3qR-ܟ`"@N|KZ]TKR2wi$y(%!%K' OPlXC=B3t)7 u5-i/.: st'_u{~{y@Dмy֏ uKKx4Թ~<:m~61|ˁNIM $(XqCOճ2urҹ|/]whg~py# @@W~Bh]\/~wϻ(!9\txx\C;R%9!pUv::f3ڌ6NJ,#zqaxsif@ tOלX0pz!vӱBZOUc)|F ڠjk:]xy~nUkq % Iku:=>   cJ=!Vo8[#Y9LB `E/ԩ #ADrIGzZFijqʼnπ/`Ec1:(:{/([ⷚoWȘI;GD_q-5'=?U[k't>!94|YQ$K 21xc|.A-6ԾJ9 4SJd"8Q%;)~ڰ{, /D=:dSNM(ia-uyjdJ9#S"\ 6L P,OҴy=#lQ1 i(K"ih$lbTȆRoNwպ6<5ަm晿LƗHȣ ,-I+4$/CiA0;ǭHR#EhqeP>Xki)i[YUH+?vƇ!qbwyAH0GW倜b{~T߯Il;up=q"?h9#7:NjG/sy"O+:Q ,':]@_zϜGoQM21ɘKԍ A/sBk4GלO)|si9<3m~`'6"%(\s")Xf>TAkv,x\J|[<,'Mw[1CN'~.?@ 6W{O$ N FP ߼=Foq>P]9Yz$AC~g}\0n;z{w6bOf07)۝l9niamơ8 J~l'Mt:DjE[c{wC9Ȫ̙S.{R؉~'g#3^q:-: &n_%3ތ<Ki^dΠt4s {!F.`0.s!T xBo~˸aW*]c{*{w}wo]VZtCqB1Vx/)&%ϓEL @OKtGY_BQKwv{Y!0N ئ7=12~OO=rmGX ?*4lo A[)=)$Ιx < v4.߮ ?#B;FJX۴rUCa?uk ,Giƿc#ޚU^?2%;hߔŷc͘37cp/?+ w^?XR| .i{\nEaQ(^ h }"s(u‰KtvZ:F,ފyti2j~ `.F_n8ٿz9+ֻ}Gxfo9)[?R]4,o6;]$tmP0[KzOqџ`&)vJ%iclcMzfxBs3QjsBg 3ABwD ha>KX+Ai=ISX4qD_Nl<zu;d(΁,$3FZR @D &Nr=(}dIiỳ'JAA0i!K렳T/&f{.'yMh4qwox׆.HX8㘮=zg[qŴU?ۧiMldT D_p3(r|]15Y%; O7ؔ.ɼnvqU$= fa:Iy7T/$Yr=IƐބo_: KYYvyVLZ즖%Zwk42lzr 1אa4u".z8ɰXL0֔xJjr~vuOx9>O7 -/GBٳR!7`@M_}uQ/Pj[(C @[N,m5#AŤR0!Q^ Kf Y,<̛tڠM<ҩK[\$J) O%Se3)g( `V 0$C`I.,djDnҔ\nz8б ^9awUDn 0cMR%6}z/ȴ"2^CBq@>M*?CQ:!ҩnСJoSJ̀U`%O@TLg A q[$EV+:yZ|DmpFa!nJP=e+YDIReR0Qs1;BgZC9\푨=$n`{$j9Rޫ/ό۞9Q~.y3Fcu@m^qoҷtc = H8@"IUP3&BcQ|[))UM8[e#YπA\tS4JLyIG Rٯ+9% PL#r3epA}RYQhh>歗z":FNϱ{(0ή-DܐeJ7V8SoNuZپ8vL0aI h {&Dhy,*|imS={ҕSԷ:Bg7TRXP$vw Ba땨b nn^S_G>,Qkg\l`\߉p{{п{п{п{пZe׋>ՃȫwGuS} 4EUc=4&`$ j7B*ijY-/kwP ZG8L 0pU@jt{46bDl֯lH*p$>r8}!`zkjyE\9@5|EhL0N"$O'[{X7DT GOMioHjpn:Vb\2N0ZzC,_ .&D`[8!4!Hb`b^uHIh!A= C'!͕_RO\X KJGjOu 1} Q~qX^wTb2iKĠS]~ݢiH[ P6$gsver:BjεLS0En\,J=C,0t>10 `\00q#a`Sѱ@PcJ[lF:x PQ}ܘ܉/$~8'Na47!}<ow~^0a WI^$#"KN ֊ 9{=2J|ܩ? l?QX2!7K fןУQc̦"f$xr"*]sN)jʾs~X:lG(zdI+2/ c|RO&rǪTe:-0S5w_l\UBI |ZkiOk6j=!`5<إ{n&'0k]қ≡ĚU؅֝UؓRc“[-*);,˿\+ђ3# dZSe԰p-| Y?*ªFifzVCTj~Ew(/9V}yj]SjZYS#0+ؒѐ 9p kۘ< ՗>-,Qku,ζy9+\W3#o='-%,֠KT1e9_>PP)%(7_跔G>1ߒ|t[o?V-F]ώ5Ng}&/12R ^` ᷍ kdt̉:u_`i*pM[d{=y-h<#Թ|A #G^o.9gF.F{!׸UH%,X L66mEUk)7g%;څ]`a~K 63K@$= A3?b)o:,}+sYu?x#jϊ5GUQ2=0]LndY_ŌVS\>dFkYF$ O׈1hغ1MQ/@@L-A H ,w#\CP |˜+S7Wq+TՕݷh}extJ"08̌۶6Ō' ߄QT1EGB :ᛒWZ-E<G_ 6f^FgZQ)G)}o M-3S+s؏p;3'F΀E௅nX{+$ʽOg->-bWldb$@ށ_پi? =:};ozxX2d 嵅DG%XȟNp>'죇LIQ"NρOe] (]A.; #x7tX$l9e1q7!̆\nX\x:L$!iʒ]ȿ͇˞0Qݹ!?1! g@L-aLiAX#hBGH[1~s?3uǸ')45A! ^C. <6)mDRRiz LD:5,ǰgL#|- R0ي At{Ss9zKF* iFwȧX,oو/S)$"dY@y#DD݂z![C1P/Rfjs# a/xea 3 s``EPf00a|Lo?ѧaظ/^N\@ S+,f)u n9 :jeOLg>򽉡{:Y)s)aR;:$Qƫ@<P 4'/7,Xzob @p),f,՚RD&u]u]j%@] YU^&"_Ӕ\ BI] / (HZ W{}GCHIPʵ?ѝe?5iv>;WNϻ7x Zѷhlԭs=|ܽ|ڹl_]w.橅gR1 Kyl25^ Q9l]28SM1B*r<MK|?Sf}Y QJ/ib ^/1o\{=-[I YG>;by5sλnzVh9n0FQc r!>}ҽlIJ/΁s?@/P%ʯחR[9](#חN9P~s9?/?g坓BsS3˜r'z^Ng(m׼ș E/E|E~/?9_">/>/ry2gSN S~909{ s?09ׅws͑?]/rqCWU@?9Ӄr߃r_P>'(W3OO9rߛorڿɡ=>k]T(RhK "S^9,.Osr𞫫qLwe<-cENz).~QxdB$8VɴV !x% FUs"\5̽q>eybAV̥-c@#]qN8GUtsn \vW8v3}kdax&@_]?73wH.pqk;O΋kwՕq@AfПb 5y?&OtVfw 4;) v[Йq峏ޢDFE5|0-0_eZ7㌰6N3{ CחU}=tfF}yP4lKeB'hZ`(fZgGqbB]S[tO_ NW镆.` ď;c{ö0A l(U˚VVk[*jڅ{DDS*R'Ӏe`_)&K<3 .=M^ed fMȡ!pCfJC DK(x>[xqc6*Yۼx0l|yN Nx@7 ,5w;SŨЫِ@^o΂3,7;tp) ߄`-kD2Ydpc lZ$5tgi[Lr,!eށxm 4@;4XZSYF Tz\^:&3!Mť{6oTx| "e*sMbfY-Nؒ1&QSRۨWy)h HN,6zo#+fUx=/C4t/L$0y.6]Ťe @ N_8#şI Vݎ.]w98Re o|L)1)'7࣍A{8b V$G3x7X05:%xl 11̵&,/nCrǶ;\So&cO*{q AnzvwʹXeQg ,x`}O]̘]&]PO"%x^39N*Maџ ,ψx&&l }_ |n9,yC͞<3)D<&dOW>[l,);Qd!I';-C%XE.g7oϔf'>x*$]vu$$}9= zHቻVߜRs7QH W_CShp["_ v:쭨F|m+\1SzA۹ooފY?(xcM,?hМ[BR(K)#RfY{6DOj giyU (p6d+m<'6}Fu;H"@"xrtPŗ-;waS)fSЌxozEy? MPt[:SAWCr 3қ! ^c *|? OGe Mt8͡okn>7q$LsizQڃ`+슧}0uGĦrCR2mLepwRc%xdvI) 3 * G8FU$];66s/^ۺ+AўYn0o6`/7mv/-nXi[RpCV)tO˟AVx3A7ӯk,^rXջ"PshՆG0ޏq۷P|@ xS b Gm;qSr2MQm`--N \71Ȟg|Ntu ۲|ږa=rksbCΜ6 U =[=܋;}#\91F`=s묞ƫ li12, $$jVI;;Q0&iE-ȓl`Cv_)~ph[?҈YA wVǰYF!Ƨ?'TS*4.>ϝn̯\2xDx^]oL_ xW%L+DzU\Z ^chX$_֬"K0ON= !`5>g~C{%9w:~0>~09&rX)>ٔ6sȽoz^ɴj}XXC *f"ODNű<<*IDy)V f@sOg |>":xqeQW@T,7Kc~/ByڽKRI>Q}v,:~v|iG a ѸT\Ɠߴ;+, mݸGﯻ/O4hI:vJ]NN:񲞝T7 r̳r7*Ѡ,jU z' l5mEgl(3W'J^R۝wz"f/F)SذM*i29J{) qU˕bmTʩIrlǝlr n!%c]&ŮMvbes5\-