FTC warning about MSN messenger

[Nonnie Miss]

FTC Recommends Users Disable Windows Messenger Service
November 6, 2003 (3:51 p.m. EST)
By Gregg Keizer, TechWeb News

The Federal Trade Commission Thursday took a first step in slamming a new kind of spam delivered not via e-mail, but through the backdoor of Windows Messenger Service, a technology built into Windows used by some enterprises, but totally wasted on consumers and small businesses.
The FTC announced that it had requested and received an injunction against D Squared Solutions, a San Diego, Calif.-based company that markets software that stops text-based spam from using Windows Messenger Service (WMS) to deliver pop-ups to Windows users' screens.

Windows Messenger Service, not be confused with the Windows Messenger, Microsoft's instant messaging client, is a network service typically used to put up pop-ups on client systems' screen to alert users of such events as an impending network shut-down, or the unavailability of a print or file server.

Some spammers, D Squared among them, have been using Windows Messenger Service to circumvent e-mail anti-spam defenses. Unlike browser-based pop-up advertisements, these messages can be splashed across users' screens even when a browser isn't active. All that's necessary is that the computer be connected to the Internet.

The FTC took action, said Howard Beales, the director of the FTC's Bureau of Consumer Protection, because D Squared was essentially engaged in extortion. According to the injunction, D Squared was repeatedly sending messages to users via Windows Messenger Service -- as often as every 10 minutes -- trying to steer them to a Web site where they could purchase software to stop the barrage.

“This is nothing more than a high-tech version of a classic scam,” said Beales. “The defendants created the problem, then tried to charge users for the solution. I call that extortion. It's just like 'if you pay me to stop beating you, I'll stop beating you,'” he added.

Not only does this kind of spam waste computer users' time -- clicking repeatedly on such messages as they continue to pop up -- but in some cases, said Beales, the Windows Messenger Service-delivered junk caused computers to crash or froze applications, resulting in lost work.

One of the consumers who had filed a complaint with the FTC against D Squared bemoaned the new spam tactic. “Sending these messages is infringing on my rights to use my computer,” said Karen McKechnie of Annandale, Va. “The only solution seemed to be to pay the $30 for the software that turns off their own messages.”

The FTC is seeking unspecified damages against D Squared.

Beales urged most Windows users to turn off Windows Messenger Service, saying that the move would not only prevent such spam, but would also solve recently-disclosed vulnerabilities in the service.

On October 15, Microsoft released a 'critical' patch for WMS, which could be used by attackers to cause a buffer overflow to crash machines. And some analysts who have been tracking exploits that target the vulnerability have said that the potential for damage and disruption could rival MSBlast if hackers put their minds to it.

Microsoft has already announced that it would disable the service by default in the next Service Pack for Windows XP, which is scheduled to release in mid-2004, said Sean Sundwall, a spokesman for Microsoft. He declined to comment on any chance that Microsoft might push up the release of Service Pack 2 to accommodate users who want WMS disabled.

Part of the danger of Windows Messenger Service, said Ken Dunham, an analyst with iDefense, a Reston, Va.-based security intelligence firm, is that spammers and attackers are increasing using the same vectors, often with hackers following the lead of spammers.

“In large corporate environments, the threat from Windows Messenger Service has gone up significantly, because of vulnerabilities from both spam and attackers,” Dunham said. “Companies should be asking themselves, 'Do we really need Windows Messenger Service?'”

He recommended that enterprises not relying on WMS to get rid of the service altogether, the same advice that Beales of the FTC offered up to consumers.

[braindead]

Yes,,,that's messenger service not MSN messenger... Two completely different things that are confusing many people.

[ESALADUANE]

Aside from all of "Instant Messengers" (AOL, ICQ, Yahoo, MSN, Jabber, and IRC), Microsoft has Windows Messenger, Windows Messenger Service and MSN Messenger.

[Nonnie Miss]

Okay I didn't know there was a difference...what is the diff exactly?

[blizey]

Hi Nonnie,

I recently installed Zone Alarm, and it asked me if I wanted "Windows Messenger Service" to access the internet. I said NO. I looked it up in the manual and it was not MSN, something I do not suscribe to anyway. I have never installed MSN on this computer, so, I was wondering what that "service" was. Hopefully I haven't installed any more bugs on my computer, since I have only been computing for 13 months.

Thanks for the informative post.