News:

March 29, 2009
What is SiteAdvisor good for?

SiteAdvisor is a free service that rates websites for safety and spamminess. You can download a free program, and it will warn you if you're navigating to a site with problems. They also have a website with a "dossier" page for each rated website's domain name that summarizes the criteria for the rating and has additional comments by site owners and volunteer reviewers.

SA has been getting a lot of criticism lately, much of it well deserved. Let's look at what it does vs. what it claims to do.

Color coded ratings: This feature assigns a color code to each site: green is good, red is bad, yellow means the site has flaws that you may be willing to overlook, and grey means it hasn't been rated by the SiteAdvisor staff yet. The free SiteAdvisor download will pop up the color code rating when you use search engines or try to visit websites, giving you advance warning about the site you're trying to visit. It's a huge oversimplification of what's out there on the internet, so it's no surprise there is a lot of controversy over this feature.

But the biggest problem is that they aren't just oversimplified; they're wrong. A lot. Legitimate sites may receive a false positive red rating, which harms their ability to attract web traffic, and it may take weeks or months for SA staff to re-evaluate the site to correct it.

More concerning, since this site is supposed to increase the safety of web browsing, is false negative green ratings. SA seems to hand out green ratings to new sites almost by default rather than leaving them grey until they can really get a thorough review. And unless someone complains, it's going to keep that green rating forever. The objection has been raised that a malicious site could defeat the system by putting up innocuous content, getting a green rating, and then proceeding to download malware with SA's blessings. It's not like the site's criminal owners are going to complain about their green rating, after all.

SA's red ratings for phishing sites are generally accurate and prompt. Presumably they get a feed from one of the organizations that collect reports of phishing sites, as it's uncommon to find one they haven't already rated red. That's huge, since phishing sites are very time sensitive -- they usually don't stay alive long, and the criminals have a very brief period of time to defraud people.

Malware sites are usually red, but the delay in retesting can leave very dangerous sites rated green. Also, McAfee's own AV program may fail to identify malware until it's been submitted and analyzed. So you do see some malware sites rated green or yellow, especially if they were legitimate sites that were hacked to insert the malware download. And sites that distribute malware can stay alive for a long time by disguising themselves as legitimate antivirus programs -- providing them the ability to claim they are being wrongly maligned by their competitor, McAfee.

SA's ratings of other types of scammy sites are very unreliable. There is no attempt to evaluate whether the site is registered with fake registrant information, whether it has fake endorsements such as counterfeit Better Business Bureau seals, whether it claims to have been in business longer than would be possible based on the date of the domain registration, whether it is identical to another site previously rated yellow or red at a different web address, etc. Sites that are scams rarely get rated worse than yellow if they aren't phish or malware.

Dangers and annoyances: SA is owned by McAfee, so it should be pretty good at rating malware, right? Unfortunately, they don't jump on these as fast as they do for phish, so many, many malware sites are grey or yellow (if they get busted for spamming before SA actually crawls them). SA also rates a site for covert attempts to change your home page, for browser exploits, and also for mere annoyances like excessive pop-ups. This section of the dossier explains how these contributed to the color rating.

Sites promoted by spam: McAfee gathers information on domains advertised in spam. Those sites may turn rapidly to yellow, though as noted, they usually won't get any more in-depth analysis as far as their fraudulent content. And sites which send spam with "throwaway domains," links that merely redirect traffic to the real target site, will not be picked up, since the target site's domain never appears in the spam.

Bad/Good Links: SA follows the links on a site to see if those sites themselves have green/yellow/red ratings. You would be concerned about a new site that was steering traffic to a known malware download site, obviously. And good sites should be clever enough not to include live links to those sites, even if they are discussing what's bad about a bad site.

There is always the risk that an open forum or wiki will temporarily have a live link posted by a careless contributor or forum spammer that just happens to be there the day SA crawls the site. And again, the bad guys can simply wait until they get their green rating and then add all their dangerous links. So the infrequency of rechecks is a serious problem.

Site owner comments: SA allows the site owners to comment on their own sites. To use it, the site owner must prove he/she owns it by posting a page with a title SA provides. It's a powerful way to correct inaccurate ratings, since the owner's comments will always appear first, no matter how many pages of other users' ratings there are. It can't overcome an inaccurate red rating that appears in search engine results. But it can allow a site owner to explain why the subsequent volunteer reviews are inaccurate or outdated, for instance, if a site was hacked and has been cleaned up since negative ratings were posted.

Misuse of visitors' email addresses: SA's crawler will look for places on a site to post a visitor's email address and will leave one encoded for the site they are rating. They then rate the "spamminess" of mailings they get as a result, and they rate whether unsubscribe requests are honored. They also visit the site later to see if the email address was posted publicly where spammers could harvest it.

Obviously, if you visit a site with an insentient robot and give your email address, you can't complain about getting newsletters about that site's sales promotions. But you do have a right to expect the site will not post your email address publicly and that it will not pass your email address to other marketers. You especially should be confident you won't get a deluge of spam for scam sites. It takes a long time for these ratings to be completed, as there is a time-delay involved in an email address being distributed by spammers.

This is a very useful service SA provides that the average user can't duplicate easily. While the spamminess of the emails is automatically evaluated and can be erroneous, they do post the subject lines of the mailings they received and the frequency the emails arrived, so you can make your own decision by viewing the dossier page.

Volunteer reviewers' comments: While there are some fake endorsements from the scammers who own the sites, this is an important place to look for information about dangerous or fraudulent sites which haven't been awarded the red or yellow ratings they deserve.

Reviewers who post comments have ratings listed after their posts to indicate how useful their other reviews have been to SA registered members, ranging from 9 (most reliable) to 0 (posted unhelpful information and dropped from their initial rating of 1). And the reviewers' names link to their own profiles, letting you see how many other sites they have reviewed and what those reviews have said.

There is also a "Reviewer Central" page that lists the top reviewers and their recent posts. One of its linked pages includes the reviewers who have contributed the most reviews in the past week. Unlike the pages reviewing the websites themselves, this page will show you reviewers who have ratings that have dipped even lower than zero, often an indication of a scammer who owns multiple clones of the same site who is giving himself good ratings.

You may wonder how some reviewers have had time to post thousands of reviews. It's precisely because scammers will have so many identical sites -- for instance, so they can spam new ones as the old ones get blocked by spam filters -- that allows reviewers to uncover entire groups of identical scam domains and give them identical reviews. And individual reviewers will often concentrate on areas of particular interest or competence. Although they are using their on-line handles, many of the top rated reviewers are well-respected for their internet security work under their real names, as well.

How should you use SA?

SA is still a valuable resource. But never rely on the color codes. Read the "dossier" pages, with SA's analysis and the volunteer reviewers' posts. If a site is too new to have a full analysis by SA, take that into account -- it may be a fly-by-night operation that can't be trusted with a credit card number.

There are other ratings services. Web of Trust (MyWOT) is often mentioned, and tends to be more responsive to information from volunteer reviewers. However, since they only accept reviews from people actually using their download, they are less popular with many internet researchers who don't want or need a program warning them of dangerous sites every time they purposely visit one..

March 21, 2009
419 Spammers scraping bottom?

Spams received today:

"Nigerian" spams are a type of "advanced fee fraud (since the scam is to get people to pay money up front with the promise they will receive a much larger sum). They're also called "419 fraud" (based on the article number of the Nigerian law they violate). A high percentage actually are perpetrated by Nigerians who have access to internet cafes and a quality of education that exceeds their job prospects. though scammers commonly do misrepresent their country of origin.

If you look at your own filtered spam, you'll see hundreds of these, and it's hard to believe anyone falls for them. Since they often ask the victim to participate in fraud (by impersonating a relative of someone who died without heirs, for instance), it can be hard to feel much sympathy for the victims. But when these criminals suck their victims dry, they often leave the victims' families and relatives homeless and without savings, too. Some victims even travel to Africa to meet the "Nigerian princes" who needs to smuggle their wealth out of the country and end up kidnapped for ransom. There have even been murders.

For some time now, there have been 419 spams claiming to represent victim compensation funds, trying to get previously scammed people to cough up even more money to either recoup their losses or get another try at the originally promised wealth.. Many victims persist in the belief that the riches are real and that they were cheated out of them, rather than accepting they were scammed by someone who never had any money in the first place. Some probably have early Alzheimers disease, too, and are not able to manage their own funds anymore. So rather than "once burned, twice shy," those who have been cheated once already are considered promising targets.

What's different about these spams is they are targeting people still in the middle of being fleeced by another 419 scammer. Enlightening someone about fraud is not the most promising way of getting him to fall for the same fraud, so apparently the 419-ers are finding it harder to find fresh victims. One can only hope.

March 15, 2009
Why is Microsoft helping spammers promote software piracy?

Everyone who has used Microsoft's software knows they really want to make sure no one uses their products without paying. They've got those long product keys to type in. They've got "Windows Genuine Advantage" to make sure you can't upgrade pirated copies of your operating system. They even make you phone in for permission to reinstall Windows if you rebuild your hard drive too many times.

So it's pretty funny to see spammers using Microsoft's own spaces.live.com free web pages to spam for sites selling pirated software. Or it would be funny if it weren't for the fact that they're passively assisting in the operation of a criminal enterprise.

If you look in your spam folder -- and at this point, any email that contains the phrase "spaces.live.com" is probably in there, whether it's spam or not -- you'll probably find some spam that has URLs like this:

http://cid-ef4a796e86d38d9a.spaces.live.com/

Most of them are for scam pharma sites. Well, nobody expects Microsoft to be experts on pharmacies, though the fact that they're helping promote sites that could kill people might make them want to read up on it a bit. But some of those pages actually link to a brand of spamvertised sites called Euro Softwares, like wietoperaste.com, hosted on a domain registered with stolen identity data:

This well-known spamvertised brand sells pirated software like Microsoft's own Windows Vista and Microsoft Office at rock-bottom prices. There are going to be a lot of innocent internet users who will rely on the fact that it is Microsoft itself providing the links to those sites, They will provide their credit card numbers and download software -- potentially laced with spyware and trojans -- thinking they are getting genuine Microsoft products. If I were a retailer selling real software, I'd be pretty pissed.

Surely Microsoft can't be aware of this problem, or they would be on it like white on rice, right? Sorry, to say, this is no secret. Blogs, forum postings, SiteAdvisor reviews -- there are complaints all over the internet about the amount of spam using spaces.live.com as intermediate links, preventing spam filters from recognizing the URLs the spams are really advertising. For example, see the discussions at

http://web.tebweb.com:8080/cgi-bin/spm_forum/Blah.pl?b=spam_latest_offenders,m=1234383264

http://www.siteadvisor.com/sites/cid-6cc0f3f507f91632.spaces.live.com/

... as well as multiple posts in the registered user section of inboxrevenge.com that have been documenting these spams. There have even been organized campaigns to report them to Microsoft, starting back before the Castlecops forum was shut down in December 2008. You'd think Microsoft would be extending thanks to the unpaid volunteers trying to help them track down software pirates, but you'd be wrong. No Microsoft representatives have responded to any of the posts that I am aware of.

It's been going on for months. Other free hosting sites have gotten control of the problem. Despite having to overcome language hurdles, even the Russian hosting sites like pochta.ru have beaten back the spammers. But spaces.live.com remains heavily infested.

Whatever you do, don't give your credit card to the EuroSoftwares. It's a very foolish thing to do when dealing with people who steal other people's identities and credit card numbers to register the sites in the first place. The Better Business Bureau, Trust-e and RapidSSL logos on the site are counterfeits, too.. If you download anything from them, it's likely to include malware, since they're using malware infected computers to mail their spam and host their sites. No matter how much Microsoft seems to condone it, don't do it.

But seriously, Microsoft, get a clue!

March 5, 2009
Waledac abandons love for money in a shaky economy

Waledac sites were recently hosting valentines e-cards, like the very similar Storm worm sites that preceded them. But they have now changed to a new tactic to take advantage of economic worries:

The "Couponizer" site offers discounts of up to 95%:

Some help, infecting your computer with a trojan when you try to get a coupon!

As usual, your antivirus program isn't likely to alert you, though Firefox flags some of the website domain names as malicious and won't permit downloads:

The downloads themselves have a variety of names -- if you reload the site, the name of the payload changes:

run.exe
save.exe
print.exe
couponslist.exe
discounts.exe

In addition to previous Waledac domains, here are some new ones:

http://chatloveonline.com/tds/Sah7 is a hidden "iframe" on the pages. It is a list of advertising links that aren't visible on the actual pages, perhaps to make a little money with click fraud.

March 4, 2009
Where can I find free software?
Spywarehammer.com's free security software download page

It's incredibly frustrating. Someone just learning about computer security tries to download a program to clean up his/her computer, and ends up with a piece of crapware pretending to be an antimalware program. Worse yet, the victim may even have been tricked into paying for the privilege. And trying to undo that mistake may cost you even more time and money. There are 25 million hits on Google for pages about how to remove "Antivirus 2009" ("Antivirus2009"), a famous example of such malicious programs.

There is an incredible amount of quality free software available, so it's not a surprise that people get confused. You really can get something for nothing. Most of those downloads are from companies that would like you to be happy enough with their product to buy a version with more features, and apparently that works often enough for them to continue to do it.

The security experts at spywarehammer.com have compiled and updated listing of free security software downloads. It's a great resource. Don't download anything unless you see it recommended by a known reliable source like that.