You cannot fault the Japanese arm of Mc Donald’s for moving with the times and giving away Flash MP3 players as prizes in a competition to customers who bought large Coca-Cola drinks. But, to be honest, I would rather have had the usual tacky plastic movie tie-in toy because at least those guys do not come complete with spyware.
Yep, one can only assume that Ronald McDonald has been promoted to head of IT security for the fast food giants, after all it is the only reasonable explanation of how the QQpass spyware Trojan was allowed to be distributed, unnoticed, on the McDonald’s branded MP3 players.
Sure, the security breach was eventually spotted, but not until 10,000 of the infected prizes had already been sent out. The McDonald’s product recall, apology and telephone helpline offering advice on disinfecting a PC are all welcome but should not have been needed in the first place.
As someone who has been a Contributing Editor of computer magazines for two decades now, I seriously thought that the era of the freebie give-away virus infection was over. After all, this is positively old school when it comes to distribution methodology. I can recall some highly serious slip ups over the years, with magazine publishers who should have known better, even in the early 90’s, managing to infect their customers by issuing cover mounted CDs that were not virus-checked properly.
But everyone knows better these days, security is not a black art, it is no longer a secret shared only between those who know the special handshake. Everyone, apart from McDonald’s apparently, understands that if you are giving away an item that contains data and it intended to be plugged into a customer PC then it has to be checked and double-checked and declared clean before it reaches the distribution chain.
Those who really care about their customers, and their brand reputation, would check again at the final stage of distribution before shipping to ensure no malware had been introduced along the way.
Something that did not, obviously, happen in this case. Something made even more surprising given that the McDonald’s branding was emblazoned on the MP3 players, so these would be linked directly to the conglomerate along with any problems.
What did happen was when the MP3 player was plugged into the PC for the very first time, and the user attempts to start the player, so the Trojan was activated. And what does QQpass actually do? Oh, nothing much, just tries to shut down your AV software, steal login details for a Chinese chat application called OICQ and assorted web passwords before emailing them to a number of associated hackers.
It could be argued that the end user is as much to blame if they did not have anti-spyware and adequate firewall protection to prevent infection, but you will not find me arguing it. I am much more likely to be joining the ‘you cannot blame non-technical PC users for trusting a company such as McDonald’s to not be distributing malware’ argument to be honest.