Feed: McAfee SiteAdvisor Blog - AggScore: 75.9
For millions of Yahoo! users, their search experience is now a little different. Alongside their regular Yahoo! search results, they may encounter a new piece of information – the site’s risk rating!
We recently announced that McAfee and Yahoo! have partnered to launch Yahoo! SearchScan Beta Powered by McAfee, the Web’s first search engine to incorporate such site safety ratings.
What’s under the hood?
Under this beta launch, Yahoo! users in the US, Canada, UK, France, Italy, Germany, Australia, New Zealand and Spain will experience much safer searching thanks to site safety ratings from SiteAdvisor, McAfee’s 5-star rated, award winning safe search tool.
Yahoo! users will immediately benefit by avoiding Web sites that can result in spyware, spam and "browser exploits."
SiteAdvisor users will now see two annotations when they search on Yahoo! – McAfee’s circle and Yahoo! SearchScan’s red triangle. The rating and additional information are the same.
Yahoo! will remove all sites that McAfee has rated red (risky) for download and e-mail practices from sponsored results (the ones on the right and top of the page). In addition, Yahoo will remove all sites that test positive for malicious exploit or "drive-by" code, no matter where they appear on the page. Finally, Yahoo! will display alerts next to red-rated download or e-mail results in the organic part of the search page.
For those Yahoo! users who are unfamiliar with SiteAdvisor, when they mouse over a red rating and click "more details" they’ll open a site profile providing the same in-depth information about the site’s test results that SiteAdvisor’s existing users have come to expect.
The added safety will be "on"by default for all users of Yahoo!’s U.S. search portal. Under Yahoo!’s "Search preferences" consumers can easily turn off the new feature or decide to filter out all red results from search results.
What’s Different?
SearchScan uses almost all of our data – but not all of it. For example, the SiteAdvisor plug-in offers phishing protection. SearchScan does not. Why? Phishing sites are largely a "surfing" phenomenon. They almost never show up in search so it makes sense for Yahoo to work with the most common types of red for now. For another example, we use a pretty complex algorithm to mark sites red if they link to too many other risky sites. SearchScan is brand new to the Yahoo! community and they’re rightly focusing at first on threats that are easiest to understand – like downloads, spam and exploits.
Taking SiteAdvisor wherever you search and surf
If Yahoo!’s users enjoy this safer search environment, we hope they’ll consider adding the SiteAdvisor plug-in to their browser as well. This way, they can take that new layer of safety to the surfing experience.
In fact, Yahoo!’s SearchScan Beta is not a replacement for SiteAdvisor. Our existing SiteAdvisor users will want to keep their plug-in installed so they can benefit while surfing and while searching on other engines.
Microsoft’s OneCare team issued an update on January 31, 2008 that resulted in SiteAdvisor users receiving a Microsoft warning message recommending that SiteAdvisor be removed due to interference with OneCare.
SiteAdvisor doesn’t interfere with OneCare in any way; we communicated this to Microsoft and they’ve begun to resolve the issue.
As of February 21st, new installations of OneCare will not message against SiteAdvisor. However, existing users of OneCare will continue to receive these messages until sometime in the spring, when Microsoft says it will fix OneCare installations made prior to February 21.
Turns out that as a general rule, Microsoft recommends running only one security application at a time because of potential performance and "PC stability" issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed.
Rest assured, there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!).
Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched. Thanks for your patience during this time.
We’ve been hearing from some of our users that their systems are slowing to crawl when trying to access Gmail. Ugh!
It turns out Google’s November Gmail release included some fairly significant, and unexpected, changes that are affecting many SiteAdvisor users on the Internet Explorer 7 platform. The effect is unacceptably high CPU usage.
We’re finishing a patch now that will go out to all our users the week of December 10.
In the meantime, add google.com to SiteAdvisor’s Do Not Warn list and reopen the browser. Doing so will alleviate the issue.
For step-by-step instructions, please visit McAfee's support center.
In early September 2007, concurrent with SiteAdvisor build 2.5, we changed the privacy policy for SiteAdvisor participants in our optional Product Improvement Program (PIP). As you may know, the PIP allows us to keep anonymous statistics on how our software is performing so we are better able to improve it.
Here's what's changed: Under the new privacy policy, we can now share these anonymous statistics with partners. Examples of these statistics would be the number of active SiteAdvisor users in a day, or the number of times users 'mouse over' SiteAdvisor's safe search ratings.
Here's what hasn't changed: We do not collect any personally identifiable information from SiteAdvisor users, whether the user is in the PIP or not. The PIP remains purely optional and by default, SiteAdvisor users do not participate. Users who opt-in to the PIP can still leave at any time by clicking on the settings menu found on the McAfee SiteAdvisor logo.
Back in March, we published Mapping the Mal Web an in-depth look at country-level domains. Tokelau (.tk) was the riskiest overall, with 10.1% of all tested domains rated red or yellow. Turns out that the people in a position to do something about that score took notice.
Dot TK, the private company that administers the domain on behalf of Tokelau (a territory of New Zealand), says it will install a system to filter malicious content. According to the CEO of Dot TK, the McAfee report spurred the new process: “We saw a decline of approximately 10% of new registrations in the countries where this report hit the press.”
According to press reports, Tokelau earns a double digit percentage of its GDP from revenue generated by the .tk domain.
Update:
Thanks to the hundreds of thousands of people who took our phishing quiz. We're now examining the results. Look for more interactive features from McAfee in the future!
Can you spot the phish?
How well can you spot phishing sites? Many of the readers of this blog are pretty savvy when it comes to security issues. So, we’ve created a deceptively easy but devilishly hard 10-question phishing quiz. Are you up to the challenge?
Our Phishing Quiz follows on the heels of our Spyware and Spam quizzes. More than 120,000 test results later, we can safely say that we have a lot of work left to do. The average score for the spyware quiz was 59%. For the spam quiz, 55%.
MailFrontier published the first phishing quiz back in 2004. Given the persistence and mutability of this plague, we thought it was time to revisit the issue. Whether it's rockphishing, or Flash phish or MySpace scams, phishing continues to evolve and ensnare both the ignorant – the people who don’t know better – and the arrogant – the people who should know better. And victims continue to lose real money. According to Gartner, per victim losses soared from $257 in 2004 to $1,244 in 2006. That’s nearly a 5-fold increase.
We encourage folks to share the quiz with friends and family. Use your expertise and the opportunity presented by the quiz to share some of our hard earned collective knowledge about phishing. Who knows? We might even save a few people from getting hooked.
Our automated crawlers detect thousands of exploits every day. Recently, we have detected a spike in the number of exploits spreading across certain hosting sites. The worst offender seems to be proboards.com, an Internet forum provider, which hosts over two million online forums. We have also seen spikes in active exploits on hosting sites like neosite.ro.
The examples above may be indicative of a trend of hosters being targeted for attack. That, in turn, is affecting hundreds or even thousands of their sub-domains. In the wake of this threat, hosting providers need to be more vigilant, so that they’re not putting their users at undue risk the way that ProBoards seems to be doing.
On proboards.com, we have detected hundreds of unique exploits, and we estimate thousands of sub-domains may actually be affected. When we visited one of the hacked ProBoards sub-domains we were redirected to advancedhunt.com, which hijacked our browser to display deceptive warnings of spyware infestation followed by a stealth installation of the rogue anti-spyware program PestTrap.
We are contacting the providers and will keep you posted. In the meantime, users should be very cautious of any sub-domains on these sites.
We will soon be marking these sites red until the providers clean up their acts. The irony is that many providers have recently proclaimed increased concern about anti-malware. We wish they would direct some of that concern to themselves and spend some time to clean up their own sites.
Breaking into someone else's MySpace account has gotten a lot of press recently, with a nasty fight between celebrity hotties Shanna Moakler, Lindsay Lohan, and Paris Hilton. But assuming you're not Paris, why would anyone want your MySpace password? And assuming you're smarter than Paris and don't use your dog's name, how would they get that password?
Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.
To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Replace the word 'colon' to visit this page. We recommend using a virtual machine to visit.) Clicks can then direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.
About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.
To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.
For the past couple of weeks, we've been seeing an increase in spam advertising a fake application called WinFixer.
This particular wave of spam claims to come from a man named Pierre Boutin and is aimed at Francophones. We've also seen versions in English but the product is the same - a rogue program which gives you false warnings about viruses, then encourages you to buy the fake anti-spyware software -- which may even make things worse, according to research from Sunbelt Software.
The application has been around for awhile in a variety of forms. For example, you may have seen popups that look like Windows warning dialogs and say "If your computer has been running slower than normal, it may be infected with Viruses, Adware, or Spyware."
That's the same application. It also goes by the names ErrorSafe, DriveCleaner, WinAntiSpyware, ECsecured and WinAntiVirus. Sunbelt has also found Winfixer promoted on a series of fake security sites.
Another variant of the same application goes under the name of PrivacyProtector. The PrivacyProtector website is currently rated green by SiteAdvisor, because it hasn't had any downloads for us to test. However, we'll be overriding that to red shortly, based on its association with WinFixer.
There's already a class-action lawsuit against the makers and distributors of the program. The lawyer who leads the action (quoted in this Silicon Valley television news investigation) claims that WinFixer generates as much as $34 million per year in ill-gotten revenue:
The plaintiffs are having trouble locating the actual scammers, though: according to Wikipedia, the application and its associated domains have an ownership trail that runs through the UK, the Ukraine, and Belize.
At any rate, if you find an offer to install WinFixer or any of its relatives, don't. And if it installs itself, don't pay for it-- look for a way to get rid of it, instead. You can protect yourself by using SiteAdvisor, and also by using the Firefox web browser, which may be somewhat more resistant to automatic installation attacks.
NASCAR is one of the most popular and fastest-growing spectator sports in the United States, but that doesn't stop the occasional race track from going under, like Tioga Motorsports Park did in 2005. It looks like their troubles started before that, though: as far back as 2002, someone had registered the domain "tiogamotorsportspark dot com" and set up a different kind of racy site-- one we rate red.
Actually, they did something a little trickier than that: They set up a redirect from there to another red site, impliedscripting dot com, and then from there to the red site repuc dot info and finally from that to the security-risk porno site advancedhunt dot com. On Advanced Hunt, files continue to load from a series of sites identified only by IP address.
Unfortunately for any unsuspecting race fans, the trouble doesn't end there. Our exploit expert Harry says the site is also host to Spy Sheriff, a program that pretends to be anti-spyware and is nearly impossible to remove once it's installed. Spy Sheriff, also known as "Pest Trap," tries to trick computer users into buying the program by warning them about made-up threats to their systems.
Here's a video-- watch the status bar in the lower left corner of the window as it cycles through the different risky websites. Then, notice the dialog that pops up warning about infections: that's Spy Sheriff.
This isn't strictly SiteAdvisor-related, but be sure to update your Windows to protect you from a new attack based on animated cursors. The latest variation is appearing in spam messages that feature naked celebrities. Secure Computing has more details.
Over the last few weeks, prominent blogger Kathy Sierra has been making headlines when she was the recipient of a series of increasingly violent threats on her blog and other websites. Internet pundits gathered together to try to promote civility online. Tim O'Reilly and others have proposed a blogger code of conduct.
It's an extreme example of an issue the Web has long struggled with -- how to deal with trolls: people who derive a special joy in annoying, offending, disrupting, and threatening other people online. One (non-violent) kind of trolling is called crapflooding -- joining a blog or forum to provoke controversy or just crowd out conversation by posting nonsense. The sheer volume of comments can sometimes overwhelm servers.
In other words, they're jerks.
SiteAdvisor's take on shock sites
SiteAdvisor flags trolls as "red," not for obnoxious behavior, but for noxious coding. In a favorite tactic, trolls trick people into visiting shock sites, web pages designed to horrify. For example, someone might join a technical discussion to say "I've found a relevant whitepaper on the topic over here..." and then link to the shock site instead. The best-known is "goatse" which prominently features a man's distended anus. Links to the goatse page were so common in Slashdot discussions that the site owners had to develop a series of countermeasures aimed at making it more obvious where links were headed. They were only somewhat effective.
Perhaps the most ambitious shock site yet was produced in 2005 by the trolling group GNAA. Called "Last Measure," it combines JavaScript, Java, and Flash exploits to open hundreds or thousands of browser windows which move around the screen. Each window displays a randomly selected medical or sexual anomaly from around the world, and a dozen or so embedded media players which scream "Hey everybody! I'm looking at gay porno!" If you've accidentally clicked on it at work, and happen to have speakers on, expect everyone to come see just what you've done. Then be prepared to try to undo some damage: it's probably gotten into your registry. On some systems, Last Measure will also attempt to start email and IRC clients. Even on our relatively secure Windows XP test machine, with popup-blocking turned on, we had to reboot to get rid of the page.
Want to see what it looks like? Here's a video. We've clipped the porn out, but left in the unsettling medical photos and screaming.
Taking the Last Measure to MySpace
Mirrors of the Last Measure code have cropped up on a few sites around the web, including this one, flagged as red by SiteAdvisor. Message-board pranksters have been playing the same games with it as usual: we spotted a MySpace group where all the links are switched to Last Measure sites (click here if you really want to see it). They achieved this not through some secret hack, but with relatively simple HTML: MySpace lets users post linked images in messages. GNAA posted a message with a transparent image set to cover the entire page, and linked that image to Last Measure.
Images on this MySpace Forum re-direct to a Last Measure mirror site
Note in particular the "u=" argument on the linked URL. It allows the GNAA member "timecop" to take credit for everyone who clicks through to Last Measure from this page.
What's the motivation of the Last Measure gang? It's hard to tell. There might be a financial angle: if the registry changes create security holes, GNAA members could come back later and install adware or spyware, or simply sell the addresses of compromised systems to third party attackers. On the other hand, they could be doing it because they enjoy ruining it for everyone else. Taking credit in the URL argument seems to point to some kind of a contest between timecop and other GNAA members over who can trick more people into visiting the shock sites.
Whatever the motivation, the losers in this battle are clear -- forums and blogs that become unusable and the consumers, often kids, who are exposed to hateful content. SiteAdvisor will continue to flag these kinds of sites red.
Hey, you know what would be fun? Taking the kids to one of those renaissance fairs. We'll be able to walk around outside, and the kids will enjoy the candy apples and costumes. They might even learn something. I think it's next weekend-- it's called King Richard's Park, right?
Uh oh.
There are numerous renaissance festivals named after King Richard, most of which are good family fun. But one fairground, King Richard' s Park.com, isn't exactly worth a trip. Instead, it's a site that behaves in a most unchivalrous fashion: when we visited, it installed a toolbar on our system without even asking for permission.
Rogue toolbars can do just about anything (see this Ars Technica article on malware for background and some examples) but in this case, it's serving up unrequested, unwanted advertising as part of the notorious CoolWebSearch system.
But to be honest, we don't even have to know what it does to know that it's up to no good. If you found an intruder in your living room at three in the morning, you'd know something was wrong. If they had any business being in your home, they would have knocked.
King Richard's Park is a great example of a site that uses two tricks at once. It attracts visitors by using a URL and keywords which are confusingly similar to legitimate pages, and then uses a broswer exploit to install software without permission.
Who suffers? The consumer who makes the typing mistake and the legitimate business that lost a potential customer. In this case, most visitors are probably looking for King Richard's Family Fun Park, or a renaissance festival like the one described at kingrichardsfaire.net. If you're looking for 16th-century-themed fairs and events in your area, try the list at renaissancefestival.com.
Note: as of press time, the exploit seems to have been removed from the website, but it remains a misleading URL.
Is your typing absolutely perfect? Of course not. It's easy for anyone to enter gogle for google, or tahoo for yahoo. Many of these misspellings are totally harmless. Tahoo is a green rated Japanese site. Anyone who visits it by accident quickly notices their mistake and heads for Yahoo instead.
But that's not always the case. As with so many other Web safety mistakes people make, there are people out there waiting to take advantage. One of the most common scams is called typosquatting - the act of buying up common misspellings and waiting for people, and profit, to stumble in. When someone arrives at the page by accident, the squatter typically shows them ads, hoping to make a few cents if someone clicks on one. As more people click on on the ads, those cents add up. It doesn't take a lot of traffic to make a profit. According to an analysis by Microsoft a parked domain needs only one unique visitor every two days to cover its basic costs.
Because typosquatters are sites people usually want to avoid, and because they sometimes bring users to even less savory locations or show pornographic ads, SiteAdvisor recently started rating them yellow. We wanted to share a few interesting finds.
One domain site that's attracted a lot of typosquatters is the mortgage site LendingTree. In fact, we found 77 misspellings designed to cash in on LendingTree's popularity. There's big money to be made in mortgage referrals, so it's not surprising that there are a lot of people seeking to cash in, ethically or not. Let's start with lewndingtree.com, a rather typical typosquatter: it's just a placeholder page full of mortgage and home-finance related advertisements. For some people, that's mildly annoying, but it's not too difficult to notice and head back the other way. However, some fraction of lendingtree.com searchers will click on one of these sponsored links which in turn will pay the owner of "lewndingtree" a fee. Since they don't fill the screen with popups or try to compromise a visitor's computer, we count them as merely annoying.
A typosquatting web page with advertisements.
Another common variation is redirecting users to the site they meant to go to, but charging the destination for the service. In this case, the consumer doesn't suffer, but LendingTree does, because it pays the parasite for the traffic. For example, "lsndingtree.com" redirects to a LendingTree page with affiliate-tracking in the URL. In other words, they're billing LendingTree for a new customer referral as though they had made a recommendation the user actually considered-- while that user was already going to the site anyway!
Other redirects include lenndingtree.com, which immediately sent us to a site advertising a very expensive exercise contraption, and le.ndingtree.com, which seemed to be full of ads for different kinds of tree-related advice and services. It just seems totally bizarre to serve these kinds of off-topic ads when you know your victims want to hear about mortgages. Perhaps it didn't make sense to the typosquatters, either: the first site disappeared some time last week.
We were redirected to this page from another typosquatter.
Of course, that doesn't mean that every typo is an invitation to trouble. For example, Google owns gogle.com, which redirects visitors to the main Google page without a word. Still, no matter how many misspellings they do buy, legitimate Web sites can't get all the variations on their names, and there are plenty of targets: the owner of "lsndingtree.com" also owns a similar site, "hritishairways.com," aimed at poaching traffic from British Airways.
In the future, we'll look at other aspects of typosquatting from the economics of typosquatting to the science of picking which misspellings will get the most traffic. In the mean time, be extra careful typing the URL for financial services sites.