Lenovo gets fined $3.5m for distributing Superfish adware

Lenovo finally gets fined for pre-installing spyware on its computers

Settlement in Lenovo Superfish scandal

Computer-maker Lenovo is now obliged to pay $3.5 million to settle allegations over the Superfish scandal. On September 6th, 2017, a coalition of 32 state attorneys announced that the company will have to pay for distributing adware in tandem with its products for customers.

The company made a huge mistake when it chose to bundle Superfish adware with its computers back in 2014. The company received a backlash when users started complaining about annoying VisualDiscovery adware (developed by California-based Superfish) in autumn 2014.

In January 2015, China-based Lenovo removed the adware from preloads of new consumer systems. The company also stated that Superfish disabled existing Lenovo machines in the market from activating the ad-supported software. Later, the top-selling computer brand released a tool to help users remove the infamous software from its products.

Activities of Superfish adware can be described as “aggressive”

The described adware could display pop-up ads for the user, inject ads into websites and make them look like they originate from these web pages and this way confuse the user. In addition, it could even employ root-level certificate powers to inject ads to encrypted websites.

According to FTC, VisualDiscovery was used as a “man-in-the-middle” between the users and web pages they visited. The method provided the software access to user’s private information whenever one transferred it over the Internet. This way, victim’s name, login details, payment data and social security numbers could reach Superfish’s servers.

In order to display ads on encrypted websites (HTTPS), the adware used a technique that allowed replacing digital certificates for those sites with VisualDiscovery-signed ones. The software did not appropriately verify whether the websites’ certificates were valid before switching them to its own ones. Besides, an easy-to-crack password was used on all laptops.

Due to the problem, victims’ browsers could not display warnings about dangerous websites with bogus security certificates. The security vulnerability could allow criminals to interfere users’ communications with websites by simply brute-forcing the pre-installed password.

The settlement is pending approval from courts of 32 states

Although Lenovo disagreed with allegations that it “preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” it stated that the company is “pleased to bring this matter to a close after two and a half years.”

However, the settlement is awaiting approval from courts of participating states. If approved, the $3.5 million from Lenovo will be divided into proportional amounts and distributed to those states.

About the author
Linas Kiguolis
Linas Kiguolis - IT professional

Linas Kiguolis is a qualified IT expert that loves sharing his excellent knowledge about problems in Windows and Mac operating systems. Linas’ insights often help other team members find quick solutions for visitors of UGetFix site.

Contact Linas Kiguolis
About the company Esolutions