Don't download the SHC Community

By Nick Farrell

04 January 2008

INSECURITY outfit CA Security is warning punters not to join shopping giant Sears' SHC community.

If you visit Sears.com and Kmart.com you get the chance to join something called My SHC Community and to download some software to aid in 'community participation'.

CA claims that the software acts as a proxy to every web transaction made on the compromised computer. In short it is spyware that tracks all Internet usage, including banking logins, and email.

All data transmitted to and from a system is intercepted. The spyware has been identified as a variation of MarketScore which is spyware that is found by CA's products.

A compromised system monitors and transmits a copy of all Internet traffic. It will monitors secure sessions which may include shopping or banking sites. For some reason it will records and transmit "the pace and style with which you enter information online and snuffle the header section of personal emails.

It has the ability to combine any data intercepted with credit information.

The data was not even being sent to Sears, but a domain called oss-content.securestudies.com with the IP address 209.247.230.166. The owner of this site is none other than comScore which is an internet marketing research outfit.

http://www.theinquirer.net/gb/inquirer/news/2008/01/04/sears-spy-customers

••••••

Sears Update: Privacy Policy, Scorecard, and Genetic Heritage

In my blog post yesterday I reported that there was a significant change in how the privacy policy for My SHC Community reads - replacing straightforward language with vague legal language (see section: The Privacy Policy). What I have come to learn is that if you navigate to http://www.myshccommunity.com/Privacy.aspx you could actually get one of two policies. One of these policies is what I referred to as the "old" policy and the other as the "new" - even though both pages share the same #. Here is why you could get one of two policies from the same #. If you access that # with a machine compromised by the Sears proxy software, you will get the policy with direct language (like "monitors all Internet behavior"). If you access the policy using an uncompromised system, you will get the toned down version (like "provide superior service"). Both policies share the same # and same look and feel - coloring, page layout, Kmart and Sears branding, etc. This makes it very difficult for users to get consistent, accurate information about the proxy software. People access the Net from many places including multiple household computers, laptops, libraries, office, etc. If someone goes to http://www.myshccommunity.com/Privacy.aspx they should receive the same information no matter what system they access it from.

Some people have asked me what criteria of the CA Anti-Spyware Scorecard the Sears proxy software violates. Here are the clearest violations:

Installs itself or any other item without clear notice to user and obtaining user permission at time of installation'

Without obtaining user permission, takes the following action: Proxies, redirects or relays the user's network traffic or modifies the networking stack to send traffic through a third-party server

Transmits User Data without clear notice to the user and obtaining user permission

As I mentioned yesterday, the Sears proxy software is similar to other software CA Anti-Spyware detects by the names Netsetter, MarketScore (and lots of variants), RelevantKnowledge, InternetAccelerator. This software is all related and shows signs that it was created by the same group. All of these companies and product names appear to be the predecessor to the current day comScore -- the registrants of the domains to which the data intercepted by the Sears proxy data is sent. CA Anti-Spyware detects this new software as the Sears.com proxy. When I analyzed the binary code, it has similarities to the software mentioned above. Using the program PEEK, I could see in plain ascii characters in long strings that were used by RelevantKnowledge and Netsetter, for example, the following strings (appear to be registry keys) are present:

SOFTWARERelevant Knowledge

SoftwareNetsetter

Internet Accelerator

In addition, from a behavior standpoint, the Sears proxy operates similarly to the old software. The network traffic going to comScore, the binaries looking similar to other comScore binaries, and similar overall behavior leads me to believe the Sears proxy is directly related to Netsetter, MarketScore, Internet Accelerator and RelevantKnowledge.

Sears says all data resides on a ‘confidential database' owned by myshccommunity.com (domain registered to Sears), but when I analyze network traffic, it is sent to a domain registered to comScore

Lack of prominent notice