McAfee SiteAdvisor Blog

To commemorate Halloween and promote Web safety, SiteAdvisor highlights a spooky download alert for the season. Out of all the scary Web safety threats that haunt the Internet’s creepiest corners, “Happy Halloween Animated Screensaver” earns a dishonorable 10 out of 10 on the SiteAdvisor nuisance meter.

This screensaver is hosted at topdesktop.com (SA Report Page), which SiteAdvisor’s tests showed to have 2131 red downloads as of October 31st. If little Timmy instinctively clicked “Yes” or “Install” at every installation prompt, your computer would be overwhelmed by potentially unwanted programs.

What does an install sequence for a “10 out of 10” Web threat nuisance look like?

This screensaver came packed with nine bundled, unrelated programs:

1. Dealio
2. New.net with Quick! browse search assistant
3. WhenU SaveNow (twice)
4. RelevantKnowledge
5. MyWay Home Page Switch
6. Scenic News Messenger
7. Mystery e-mail submission
8. FileSubmit
9. Popular Screensavers Toolbar

We’ll highlight just a few of these to give you the idea, but they carry a similar theme: lots of fine print that gives publishers permission to serve ads based on browser activity.

One of the bundled programs that comes with the Happy Halloween Animated Screensaver is called RelevantKnowledge. This program displays survey questions about user shopping habits and records information like online purchases. It also allows “passively-tracked” online browsing behavior to be sent to ComScore Networks for “market research.” Pretty scary stuff.

RelevantKnowledge install prompt.

Once you complete the “Happy Halloween Animated Screensaver” installation, Internet Explorer opens a MyWay home page switch window. This post-install sequence then asks the user to install three more potentially unwanted programs. That’s three bonus annoyances for the price of one!

MyWay homepage switch prompt.

Here’s another sequence in the install which especially caught our attention. This window – which requests a first name, last name, and an e-mail address – doesn’t reveal where the information will be sent. Can you imagine answering such questions to a complete stranger who stopped you on the street? We recommend you never submit your personal information to any prompt that does not indicate the recipient and how the information will be used.

Name and e-mail submission prompt.

With 9 bundled programs and lots of scary, mysterious corners, clearly the “Happy Halloween Animated Screensaver” will leave several ghosts behind long after Halloween.

This particular screensaver is not an isolated case, though. Screensavers are infamous for the installation of potentially unwanted programs, and Halloween screensavers seem to be particular culprits. See this screenshot of a Google search (from October 30th, 2006) for the search term “Halloween Screensaver” (minus quotes)

An overwhelming majority of the organic search results for Halloween Screensaver are rated red by SiteAdvisor.

The SiteAdvisor team hopes you have a safe and fun Halloween. Install our free toolbar, and we’ll help you avoid the Internet’s tricks so you can enjoy its treats.

Permalink | Comments (3) | TrackBacks (0)

Stop, Identity Thief!

We’ve all seen the bad guys take advantage of the allure of “free” products on the Web. From “free iPods”, to “free downloads”, the Web is full of deceptive come-on’s. Even the government is susceptible. A well-intentioned law to help consumers understand their credit history is in danger of being overwhelmed by scammers.

In 2003, the United States passed the Fair Credit Reporting Act (FCRA), making it easier for consumers to keep tabs on their credit histories. The FCRA requires the three major nationwide consumer reporting companies (Experian, TransUnion, and Equifax) to provide a free credit report, once a year, to anyone who asks.

Credit histories are snapshots in time. By contrast, credit monitoring alerts a consumer of credit changes in near-real time. Government experts say that credit monitoring is one of the best ways to defeat an initially-successful identity theft. It’s an early warning system. Sadly, 85% of the 9+ million people who become victims of identity theft don’t find out they’ve been victimized until they apply for credit. By then, the damage is done: Recovering from a successful theft of one’s identity reportedly can take hundreds of hours.

The FCRA required the three credit reporting agencies to create www.annualcreditreport.com, the only official site where consumers can request a truly free credit report with no strings attached.

We discovered sketchy behavior at a few of the sites that offer "free" credit reports. These sites don't acknowledge truly free credit reports at annualcreditreport.com and automatically bill users if they don't cancel trial memberships.

Imposters

Google “free credit report” and http://www.annualcreditreport.com is the top organic, non-sponsored link. It’s humble. Nothing in the headline about being “free” or official. But it's surrounded by a sea of advertisers who are much less modest.

The official free credit report site is overwhelmed by other, more sensational Web sites.

creditreport.com
http://www.siteadvisor.com/sites/creditreport.com

We estimate that consumers make approximately 1,270,000 million searches every month for “free credit report” and similar terms (based on Yahoo’s 28.8% search market share in July 2006 and 365417 related searches logged by their inventory tool). Creditreport.com is a frequent advertiser for these keywords. The site promises users a free credit report and credit score if the user fills out what appears to be a short registration form. Scroll down below the fold and you’ll find a disclaimer in tiny print.

By ordering a free credit report, you will automatically be enrolled in a 30 day free trial of credit monitoring. You will receive instant notifications of changes to your credit report. You will be billed $9.95 for each month that you continue your membership if you do not cancel your membership within the 30 day trial period.

This is precisely the kind of tactic the FTC warns about:

Other websites that claim to offer “free credit reports,” “free credit scores,” or “free credit monitoring” are not part of the legally mandated free annual credit report program. In some cases, the “free” product comes with strings attached. For example, some sites sign you up for a supposedly “free” service that converts to one you have to pay for after a trial period. If you don’t cancel during the trial period, you may be unwittingly agreeing to let the company start charging fees to your credit card.

freecreditreportsinstantly.com
http://www.siteadvisor.com/sites/freecreditreportinstantly.com

This sign up results in automatic enrollment in a free trial membership for credit monitoring. After the seven day trial, consumers are charged $19.95 every month.

thefreecreditreportsource.com
http://www.siteadvisor.com/sites/thefreecreditreportsource.com

This site claims to give a 30 day trial before they start charging a consumer’s credit card $9.95 per month, a fact disclosed in fine print, at the bottom of a screen, two clicks and one entire top level domain removed.

thefreecreditreportsource.com redirects users to creditreport.com. The order page does not mention any specific fees.

Fees are disclosed in tiny print two screens and one Web site prior to sign up.

On Alert

Some sites count on quick typing, or quick clicking, to get users to their pages. annualcreditreport1.com offers a prominent disclaimer that it is not the official site, but you can bet that plenty of users click through to their advertised offers to make them money.

Some free credit report sites have awkward URLs to take advantage of address bar typos.

The FTC sued an individual “free credit report” Web site, Consumerinfo.com, Inc. The defendant was found liable of deceptive marketing and forced to surrender nearly one million U.S. dollars. The settlement requires Consumerinfo.com, Inc. to “pay redress to deceived consumers, bars deceptive and misleading claims about “free offers”, requires disclosure of terms and conditions of any “free” offers, and requires the defendant to give up $950,000 in ill-gotten gains”. We applaud the government’s action, but there's a glut of scammy Web sites pushing similar scams that are still unchallenged.

Take Action Now

Spyware researcher and SiteAdvisor Advisor Ben Edelman recently critiqued the use of “free” offers in Google Adwords, noting how often the offers violate Federal Trade Commission rules and Google’s own guidelines. Sadly, a well-intentioned law like the one establishing annualcreditreport.com is at risk of being overwhelmed by unscrupulous advertisers who profit from consumer ignorance.

As a modus operandi for avoiding online scams, we recommend caution whenever clicking on an advertisement that promises a service or product for “FREE*!” And as part of a comprehensive plan to help prevent or limit the effects of identity theft, use annualcreditreport.com.

Permalink | Comments (4) | TrackBacks (0)