Blue-chip companies are sponsoring more than TV shows and golf tournaments to promote their products: They are inadvertently underwriting computer spyware too.
Larry Ingram found that out last month after spyware infested computers owned by Minnesota's Hennepin County. The uninvited software spewed ads for such companies as car maker Mercedes-Benz and online travel agency Travelocity.com.
Ingram, who oversees security for the county's 11,000 computers, said those companies might have relied -- perhaps unknowingly -- on unscrupulous advertising middlemen.
But the software that invaded Hennepin County penetrated more than 500 other workplaces. Those spyware ads hint at how much of the cyber-world's latest plague is financed in part by well-known companies.
Cash from blue-chip companies "drives much of the spyware polluting the Internet today," said Joe Stewart, a Lurhq Corp. security researcher who traced the attack back to the underlying ads.
Spyware -- a term encompassing both ad-supported programs that users don't want and more-virulent software that steals financial information -- is the leading complaint of computer owners. It often sneaks into computers when users download a piece of more desirable software, such as a screensaver or file-trading program. Once there, the software typically shows pop-up ads until a user can figure out how to uninstall it -- rarely an easy task.
A number of federal bills aim to restrict the worst practices of the scourge, which is increasingly cited as the greatest threat to the growth of electronic commerce. Yet deliberately or not, money for spyware comes from the coffers of Fortune 500 companies.
"We're funding the business models because we don't know any better," said Clinton Schmidt, the director of online marketing at 1-800 Contacts Inc., a publicly traded Sandy, Utah-based company that bills itself as the world's largest contact-lens store.
Mercedes-Benz USA and Travelocity said their pitches were placed in violation of company policies.
"We would not authorize anything installed in such a manner," said Mercedes Internet marketing manager Lisa Cooper. She said the company had been testing a new ad network and hoped that the spyware appearance wouldn't be repeated.
Travelocity spokesman Joel Frey said his company didn't know about the incident until contacted by The Times.
"We can assure you that it is against our policies for ads to appear in unwanted software," Frey said. "We're working fast and hard to get to the root cause."
That might be difficult. Unintended placement isn't unusual on the decentralized Internet, advertising specialists said, because the merchants are often several steps removed from their own advertisements.
Here's how it works:
Instead of buying ad space directly, companies usually dole out money to an agency. Those agencies often turn to outside buyers specializing in Internet marketing. And the buyers can split the funds even further, allocating some for banner ads paid for based on how many people view them; some for "pay-per-click" ads paid for based on the number of clicks for further information; and some for "pay-per-sale" ads, in which publishers of Web pages get a commission for electronically referring eventual buyers to the merchant.
In each of those cases, the Internet ad buyers can turn to advertising networks using thousands or even tens of thousands of so-called affiliates. The networks take a percentage of the spending and give another cut to the affiliates, which range from one-person Web retailers to major companies that distribute free, ad-supported software.
The problem is that the networks and the affiliates -- and the countless "sub-affiliates" working for the affiliates -- have an incentive to generate the most viewers, clicks and buyers they can. That leads some of them to trick people into installing spyware that produces a never-ending stream of come-ons.
If an affiliate slips a deceptive piece of software into someone's personal computer and persuades the owner to buy something, the transaction could be passed through three or four businesses -- each taking a cut -- before the affiliate network hands off the customer to the merchant.
Some security experts estimate that spyware and its cousin, adware, generate $500 million to $2 billion a year in revenue for middlemen.
"The whole system seems like it's been designed to reduce accountability," said Ben Edelman, a Harvard graduate student who has testified before Congress on spyware practices. "It's a nightmare of backroom deals."
Schmidt, of 1-800 Contacts, said most merchants couldn't tell what traffic was legitimate and what wasn't. The affiliate networks, which could tell, often don't bother. "They're all taking the 'hear no evil, see no evil' approach," Schmidt said.