The retired Massachusetts State Police major had to cancel 30 pop-up text boxes, each one directing him to Web pages to buy products and services. Later, as Pomerleau tried to compose an e-mail, he had to delete 15 more pop-up boxes that kept superimposing on top of his e-mail. "They were more than annoying," he says. "They drove me crazy."
Pomerleau fell victim to advertisers who are increasingly taking advantage of a feature, Windows messenger service, built into PCs using the Microsoft Windows 2000 and XP operating systems. This includes all Windows PCs sold in the past two years.
The feature, not to be confused with instant messaging, allows network administrators to broadcast text alerts in pop-up boxes to groups of computer Users linked in a corporate network. Microsoft intended the feature to facilitate tech staff communication, but e-mail often serves that function.
Last fall, hackers discovered that Windows messenger service will also accept pop-up boxes broadcast across the Internet. With a little help, advertisers can insert product pitches into such boxes and broadcast them to any web-connected PC.
Unlike spreading e-mail spam, broadcasting pop-up boxes does not require a list of e-mail addresses. Unlike the more familiar browser-based pop-ups, which feature graphics and generally launch when a User clicks on a web page, pop-up boxes can appear any time and do not require cooperation from a web-site owner. They can intrude on word processing, e-mail or any program. Other than taking steps to inoculate their PCs, consumers have little reprieve from pop-up boxes or browser pop-ups.
U.S. District Court Judge Gerald Bruce Lee ruled Sept. 8 that trademark and copyright laws do not prevent advertisers from launching pop-up ads on top of web pages operated by others. Lee may have given a green light for more aggressive online advertising tactics, experts say. What's more, there has been a proliferation of viruses, spam, pop-up ads and Trojan programs that surreptitiously usurp processing power.
"It has gotten to the point where the home PC user has to battle for control of his PC," says Jeremiah Grossman, president of WhiteHat Security.
Not a 'security' risk
While most companies disable Windows messenger service, or use a firewall that blocks indiscriminate Web broadcasts, many home Users aren't aware they can and should take similar steps. Older PCs using Windows 95, 98, or Me aren't affected.
Microsoft says it has no plans to get rid of Windows messenger service. But it is considering enabling a rudimentary firewall by default on all new PCs, something it does not now do. Providing a firewall would block pop-up boxes and prevent the spread of certain kinds of viruses, including the Blaster worm that has infected nearly 1 million PCs.
Microsoft views pop-up boxes as a benign nuisance that does "not pose a security risk," says Greg Sullivan, product manager for Windows. Advertisers are unable to "execute code or do anything malicious," Sullivan says. "It does nothing to compromise your system other than cause an interruption."
From a trickle to a deluge
At first, it did not appear that pop-up boxes would add significantly to the consumer distraction of pop-up ads and spam. Last year, advertisers began broadcasting one or two text messages daily across small sections of the Internet. But since midsummer, that trickle has swelled.
Though a definitive count is elusive, two security firms have been tracking dozens of fresh pop-up boxes broadcast daily to millions of web addresses, each representing a PC connected to the Internet. "Over the last four weeks, Windows messenger pop-ups have gone completely over the top," says Jon Lal, president of browser security firm Winferno Software.
The spike in broadcasting parallels the emergence of a cottage industry that makes it easy to experiment with this new form of advertising. Pop-up box ads are readily available to even non-techie merchants. They can purchase a template to assemble a Windows-messenger text box, then have it broadcast to 100,000 web-connected PCs for as little as $120, says Lawrence Baldwin, founder of tech security consultancy MyNetWatchman.com. "It is a cheap, easy way to get your message in front of a lot of eyeballs," he says.
One software vendor tracked by Baldwin recently offered to broadcast a ready-made Windows messenger box to 10 million PCs for $1,499. While the vast majority of PC Users hit by such ads are sure to be annoyed, the tiny minority who make a purchase can add up to a lucrative enterprise, Baldwin says.
A pop-up to block pop-ups
Ironically, many of the pop-up boxes point to web sites offering to block unwanted pop-up boxes, usually for a fee of $25 to $40. Others direct consumers to sites hawking weight loss or sexual enhancement products. A PC User can disable reception or block broadcast of pop-up boxes in a few steps (box, above).
Pop-up box broadcasters will typically suggest broadcasting to web addresses known to be used by Internet service providers, such as Comcast, AOL Time Warner, MSN and EarthLink, that cater to home users who tend to have unprotected PCs, Baldwin says. Getting more consumers to secure their PCs would help. But until software is more secure, web surfing is likely to remain risky, tech experts say.