September 5, 2017 by

FTC Slaps $3.5 Million Fine on Lenovo for Superfish Adware

Laptop maker Lenovo has agreed to pay a $3.5 million fine for pre-installing adware on hundreds of thousands of laptops.

Lenovo has been accused by the FTC of preinstalling adware called VisualDiscovery from developer ‘Superfish’ on its laptops in the United States between late 2014 and early 2015. The adware tracks visitors’ web searchers and browsing history to then place additional advertisements on websites visited. The malware adware was able to access consumers’ personal information sent online including medical information, login credentials, social security numbers and financial and payment information, the FTC revealed.

The adware’s modus-operandi involved delivering pop-up advertisements from the company’s retail partners when a user’s cursor hovered over a similar product on a website.

The FTC wrote in its announcement:

To deliver its ads, VisualDiscovery acted as a “man-in-the-middle” between consumers’ browsers and the websites they visited, even those websites that were encrypted.  Without the consumer’s knowledge or consent, this “man-in-the-middle” technique allowed VisualDiscovery to access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information

The complaint further alleges that the adware used an insecure method to replace digital certificates on websites with its own signed certificates. VisualDiscovery did not “adequately” verify nor check to see if he websites’ digital certificate were valid prior to replacing them and therefore did not allow consumers’ browsers to warn users when visiting malicious websites with invalid certificates.

As part of the settlement, Lenovo has also agreed to a number of restrictions and guidelines from the FTC. The company is required to install a “comprehensive software security program” for consumer software preloaded on the laptops it sells. This security program will also be subjected to audits form a third-party.

For its part, Lenovo claims that it “disagrees with allegations” made by the FTC but is “pleased to bring this matter to a close after 2-1/2 years.”

Image credit: 

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

‘Fireball’ Adware Installs Backdoor in a Quarter Billion PCs, say Researchers

Security researchers at Check Point have claimed that a single adware malware is infecting as many...

Read more arrow_forward

Judy Malware May Have Affected 36.5 Million Android Devices

Researchers have discovered what could possibly be the “largest malware campaign found on Google...

Read more arrow_forward

FTC Sues Networking Giant D-Link over Risking US Consumers' Privacy

The U.S. Federal Trade Commission (FTC) has charged hardware manufacturer D-Link on Thursday,...

Read more arrow_forward