McAfee welcomes feedback about its site ratings and encourages site owners to contact us if they believe one or more of our facts regarding their site are in error. We pledge to work cooperatively with those site owners and to respond reasonably to dispute inquiries as quickly as possible.

What follows is an FAQ style description of the site rating dispute process.

How do you submit a site rating dispute?

To begin, please submit your rating dispute online.

http://www.siteadvisor.com/userfeedback.html

During the evaluation of this dispute, McAfee communicates with site owners via e-mail.

How will McAfee evaluate the dispute?

McAfee will acknowledge your dispute via e-mail and begin to evaluate the concerns you raise.

Our evaluation can go quicker if you include details about your dispute. For example, let us know what parts of our test results you are disputing and why you are disputing them. You should review the profile of your site’s test results by searching for it here: http://www.siteadvisor.com/sites/

Disagreements with site owners typically fall into two categories. The first kind can be described as “Our site doesn’t do what you say it does.” The second kind can be described as “Our site no longer does what it used to do.”

There are many different cases, but here are two typical examples:

• A site owner says that the file he offers for download is not a virus.
• A site owner says that his site no longer offers the download we found in our previous test, or that the behavior of download itself has been modified.

How long will the evaluation process take?

McAfee will acknowledge your dispute within one business day of receipt. We will initiate an evaluation within five business days.

Once started, evaluations will typically be completed within the following time frames:

• Claims that a site has changed: Five business days once the evaluation is begun.


• Exception: E-mail practices. Evaluating changed e-mail practices takes 60 calendar days once the evaluation is begun because we must give our new test e-mail address significant time to see what kind of e-mail it receives, if any.


• Claims that McAfee made a mistake: 10 business days once the evaluation is begun.

What happens after the evaluation is done? When will my site’s rating change?

McAfee will e-mail the site owner to share the results of its evaluation.

When our evaluation confirms that our test data was in error, the site’s rating will be changed within one business day after we complete our evaluation.

Please note that in some cases, the overall rating for a site might remain red or yellow even if one of the test results used for that rating was wrong. For example, a site with multiple, red rated downloads will remain red even if one of those download ratings is found to be mistaken.

Sites that were accurately rated red or yellow as a result of our previous tests but have now improved will undergo a re-assessment period before the site rating is changed.

How long does this re-assessment period last?

The re-assessment period can vary from as few as 10 calendar days to as many as 365 calendar days. The length of this period depends on the site’s historical test information and the severity of the issues we found during those previous tests.

For example, sites that were rated red or yellow and have no history of risky behaviors will “go green” faster than sites that have been rated red or yellow multiple times. Sites that re-engage in a behavior that we believe is risky will “go green” slower the next time. Sites that engage in particularly risky behavior like hosting exploit code will also “go green” more slowly.

There are many different cases, but here is a typical example:

• A site that is rated red for the first time for posting links to a few red rated downloads disputes their site rating and removes the links. The site rating could become green in as few as 10 days after our tests show that the links are gone and no other issues are discovered.
• If a subsequent test of that site finds new links to red rated downloads or finds other risky behaviors, the site rating will remain red for at least 30 days after our tests show that the links and other risky behaviors have been removed.

How can I contact McAfee?

Site owners are welcome to e-mail support@siteadvisor.com. E-mail inquiries will result in a “ticket” being created and assigned to a technical support representative. This representative will direct the site owner to begin the dispute resolution process by submitting his complaint at http://www.siteadvisor.com/userfeedback.html.

The fastest and best way to check on the status of a dispute, submit additional information or express additional concerns is by e-mailing your technical support representative.

What Is a SiteAdvisor Site Rating?
A site rating is our opinion of a website's reputation. The site rating is based on our interpretation of a variety of test results that provide the best indication of a site's reputation over time.

We test sites for downloads, browser exploits, e-mail, phishing, e-commerce, pop-ups and cookies and affiliations with other sites.

We use proprietary techniques to visit and test sites. We then analyze the resulting data and present it to users in the form of colored icons.

Green Icon: Very low or no risk issues found.
Yellow Icon: Minor risk issues found
Red icon: Serious risk issues found
Grey Icon: Not yet rated. Use caution.

Detailed information about our test results can be found on each site’s profile page which can be accessed at http://www.siteadvisor.com/sites

What Is Rated? How Is It Rated?
We test seven attributes of a site. Red, yellow, and green scores are computed from the outcome of these tests.

Downloads
We test downloadable software that is hosted by and directly linked to from a site. We use our award-winning McAfee anti-virus engine to determine if the file includes malware, such as viruses, Trojans or adware. We also test for program behaviors that we deem to be risky or merit a cautionary note. Behaviors can include resetting the browser’s home page, adding toolbars or desktop shortcuts or contacting 3rd party Web servers. Based on these results, we score the site’s downloads accordingly.

E-mail practices
We test sites for a variety of e-mail practices including the amount and type of e-mail resulting from a sign up, the ease of unsubscribing and the posting of e-mail addresses.
Receiving Mail: We test receiving mail by entering a valid, unique personal e-mail address into a site’s e-mail form. Then we measure any mail that is received at this unique address. We score the site according to the quantity of mail received as well as the "spamminess" of those e-mails. Spamminess is a measure of the mail’s commercial content, as well as the presence of tricks used by spammers to try to escape detection by spam filters.
Unsubscribe: If we receive e-mail at an address submitted to a site, we try to unsubscribe. We then measure e-mail, if any, received after the unsubscribe attempt. If unsubscribing is not successful after several tries, the site is rated accordingly.
Posting e-mail addresses: After entering unique contact information into a site’s e-mail form, we then see whether that e-mail is posted on the Internet in its unaltered form. We also measure what, if any, e-mail results from the posting.

Browser Exploits
We perform tests to detect the presence of exploits on a site. An exploit is any content that forces a web browser to perform operations that the user does not explicitly intend.

Annoyances
When we visit a site, we record how many pop-ups occur and how many cookies we receive. In addition, we monitor prompts to change a browser’s home and search page settings.The presence or cookies is only noted. Cookies do not affect a site’s score.

E-Commerce
McAfee tests sites for the following e-commerce issues.
Phishing: We use proprietary, award-winning real-time phishing software to evaluate whether the site in question is attempting to mimic a legitimate business or financial institution.
Scams: We use a variety of criteria to determine whether a site in question is engaged in questionable business practices, such as selling rogue anti-spyware.

Links (online affiliations)
We collect information about the URL links posted on a site to determine whether the site is affiliated or effectively directing traffic to another site. We rate a site based on our estimation of the risk users could experience if they used these links to be led to other risky sites.

Why Is a Site Rated Red?
Sites are rated red when, in our judgment, the site poses especially hazardous risks to a user's computer security, there are an exceptional number of annoying behaviors, or there is exceptional information that we believe our users would want to be aware of before or during a visit to that site. Behaviors that typically lead to red site ratings are hosting drive-by exploit code, impersonating a legitimate business (phishing), making unrequested or unexpected system changes, or hosting malware for download at the time of our visit. Sites can also be rated red when we receive unexpected e-mail to the unique e-mail address we submitted to that site, and the e-mails we receive exhibit characteristics consistent with spam e-mail, such as unusual volume or a high “spamminess” score as determined by an automated scanning program. Additionally, we may rate a site red for certain types of linking behavior with other red sites, or when we find a site that engages in activities we believe could be misleading.

Site ratings are calculated automatically based on McAfee’s opinion of the risks associated with the results of the tests performed on a site.

The rating is not intended to measure the site owner’s intent or knowledge. For example, a site that posts the e-mail addresses of its users in plain text, even though unintentionally and without any spam e-mail being received, can earn a red rating because of the increased risk this behavior poses to users to receive spam. Similarly, a site with numerous links to sites with red site ratings, even though the site owner may be unaware of the risk profile of those linked sites, can earn a red rating because of the increased risk to users to visit potentially dangerous sites or to download dangerous programs.

Why Is a Site Rated Yellow?
Sites are rated yellow when, in our judgment, the site exhibits behaviors or has a history that we believe SiteAdvisor users would want to be aware of before or during a visit to that site. However, for yellow sites these factors are not as acutely severe as they are for a red site, or there are other mitigating factors that weigh in favor of a yellow rather than a red rating.

Why Is a Site Rated Gray?
Sites are rated gray when we either have no evidence or are currently collecting evidence about a site. If you would like your site to be tested, please submit your request on our feedback form by clicking here: http://www.siteadvisor.com/sites/domain/writeComments?firstTry=1§ion=domainSuggestion&domain

Secure Search

McAfee SiteAdvisor technology with Secure Search allows users to block and filter malicious Web sites from search results, provides a Secure Search Box for simplified security and integrates McAfee SECURE^TM trustmarks throughout the consumer Web experience. Together, these Secure Search features extend McAfee’s commitment to making it easier than ever for consumers to enjoy comprehensive Web Security. The upgrade is free and is available immediately for new and existing users.

Secure Search Box

Secure Search is centered on the new Secure Search Box. Now, wherever you are on the Web, you can search more securely without first having to navigate to a search engine page.

The search box can be toggled on and off via the settings menu.

Risky Site Filtering

The Secure Search Box also offers you the ability to filter and block red-rated risky sites from your search results.

That greyed out link means it’s not clickable unless you change your settings.

This feature goes beyond the safety guidance offered by the standard settings and delivers active protection. It’s great for families with children, or for computers that are shared with less experienced, novice Web users.

Yahoo! Toolbar

Many of you will also see an option to download and install the popular Yahoo! Toolbar, integrated with our Secure Search features! When you download the toolbar and do your searches through the Yahoo! search box, you get a three benefits: great Yahoo! search results that get you straight to your answers by predicting what you’re searching for and offering instant suggestions as you type, our safety annotations, and risky site filtering. In addition, after you set it up with your favorite bookmarks, the Yahoo! Toolbar gives you one-click access to the sites you care about most, both on and off Yahoo!

The integrated Yahoo toolbar is only available to our IE users at this time.

Safer Shopping with verified McAfee SECURE sites

We’d also like to call your attention to something you may not have noticed. This summer, we began displaying the McAfee SECURE™ trustmark on sites that have passed rigorous daily testing by the McAfee SECURE service.

What does this mean for you? Your personal information is safer with participating McAfee SECURE vendors! That’s because daily scanning for known threats can help prevent Web sites from falling prey to many forms of hacker crime. Only sites that pass the McAfee SECURE program of daily testing and maintain their overall Green rating from SiteAdvisor technology testing can display the trustmark.

McAfee SECURE shopping Portal

When you get a chance, be sure to check out McAfee SECURE shopping, a convenient one-stop-shop with more than 1,500 well known e-commerce sites, all of which earn the right to display the McAfee SECURE trustmark. This is a safer online experience whether you’re surfing, searching or shopping.

Your feedback

Have a comment or suggestion? We're listening here.

We recently announced that McAfee and Yahoo! have partnered to launch Yahoo! SearchScan Beta Powered by McAfee, the Web’s first search engine to incorporate such site safety ratings.

What’s under the hood?

Under this beta launch, Yahoo! users in the US, Canada, UK, France, Italy, Germany, Australia, New Zealand and Spain will experience much safer searching thanks to site safety ratings from SiteAdvisor, McAfee’s 5-star rated, award winning safe search tool.

Yahoo! users will immediately benefit by avoiding Web sites that can result in spyware, spam and "browser exploits."

SiteAdvisor users will now see two annotations when they search on Yahoo! – McAfee’s circle and Yahoo! SearchScan’s red triangle. The rating and additional information are the same.

Yahoo! will remove all sites that McAfee has rated red (risky) for download and e-mail practices from sponsored results (the ones on the right and top of the page). In addition, Yahoo will remove all sites that test positive for malicious exploit or "drive-by" code, no matter where they appear on the page. Finally, Yahoo! will display alerts next to red-rated download or e-mail results in the organic part of the search page.

For those Yahoo! users who are unfamiliar with SiteAdvisor, when they mouse over a red rating and click "more details" they’ll open a site profile providing the same in-depth information about the site’s test results that SiteAdvisor’s existing users have come to expect.

The added safety will be "on"by default for all users of Yahoo!’s U.S. search portal. Under Yahoo!’s "Search preferences" consumers can easily turn off the new feature or decide to filter out all red results from search results.

What’s Different?

SearchScan uses almost all of our data – but not all of it. For example, the SiteAdvisor plug-in offers phishing protection. SearchScan does not. Why? Phishing sites are largely a "surfing" phenomenon. They almost never show up in search so it makes sense for Yahoo to work with the most common types of red for now. For another example, we use a pretty complex algorithm to mark sites red if they link to too many other risky sites. SearchScan is brand new to the Yahoo! community and they’re rightly focusing at first on threats that are easiest to understand – like downloads, spam and exploits.

Taking SiteAdvisor wherever you search and surf

If Yahoo!’s users enjoy this safer search environment, we hope they’ll consider adding the SiteAdvisor plug-in to their browser as well. This way, they can take that new layer of safety to the surfing experience.

In fact, Yahoo!’s SearchScan Beta is not a replacement for SiteAdvisor. Our existing SiteAdvisor users will want to keep their plug-in installed so they can benefit while surfing and while searching on other engines.

SiteAdvisor doesn’t interfere with OneCare in any way; we communicated this to Microsoft and they’ve begun to resolve the issue.

As of February 21st, new installations of OneCare will not message against SiteAdvisor. However, existing users of OneCare will continue to receive these messages until sometime in the spring, when Microsoft says it will fix OneCare installations made prior to February 21.

Turns out that as a general rule, Microsoft recommends running only one security application at a time because of potential performance and "PC stability" issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed.

Rest assured, there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!).

Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched. Thanks for your patience during this time.

We’re finishing a patch now that will go out to all our users the week of December 10.

In the meantime, add google.com to SiteAdvisor’s Do Not Warn list and reopen the browser. Doing so will alleviate the issue.

For step-by-step instructions, please visit McAfee's support center.

Here's what's changed: Under the new privacy policy, we can now share these anonymous statistics with partners. Examples of these statistics would be the number of active SiteAdvisor users in a day, or the number of times users 'mouse over' SiteAdvisor's safe search ratings.

Here's what hasn't changed: We do not collect any personally identifiable information from SiteAdvisor users, whether the user is in the PIP or not. The PIP remains purely optional and by default, SiteAdvisor users do not participate. Users who opt-in to the PIP can still leave at any time by clicking on the settings menu found on the McAfee SiteAdvisor logo.

Dot TK, the private company that administers the domain on behalf of Tokelau (a territory of New Zealand), says it will install a system to filter malicious content. According to the CEO of Dot TK, the McAfee report spurred the new process: “We saw a decline of approximately 10% of new registrations in the countries where this report hit the press.”

According to press reports, Tokelau earns a double digit percentage of its GDP from revenue generated by the .tk domain.

Thanks to the hundreds of thousands of people who took our phishing quiz. We're now examining the results. Look for more interactive features from McAfee in the future!

Can you spot the phish?

How well can you spot phishing sites? Many of the readers of this blog are pretty savvy when it comes to security issues. So, we’ve created a deceptively easy but devilishly hard 10-question phishing quiz. Are you up to the challenge?

Our Phishing Quiz follows on the heels of our Spyware and Spam quizzes. More than 120,000 test results later, we can safely say that we have a lot of work left to do. The average score for the spyware quiz was 59%. For the spam quiz, 55%.

MailFrontier published the first phishing quiz back in 2004. Given the persistence and mutability of this plague, we thought it was time to revisit the issue. Whether it's rockphishing, or Flash phish or MySpace scams, phishing continues to evolve and ensnare both the ignorant – the people who don’t know better – and the arrogant – the people who should know better. And victims continue to lose real money. According to Gartner, per victim losses soared from $257 in 2004 to $1,244 in 2006. That’s nearly a 5-fold increase.

We encourage folks to share the quiz with friends and family. Use your expertise and the opportunity presented by the quiz to share some of our hard earned collective knowledge about phishing. Who knows? We might even save a few people from getting hooked.

The examples above may be indicative of a trend of hosters being targeted for attack. That, in turn, is affecting hundreds or even thousands of their sub-domains. In the wake of this threat, hosting providers need to be more vigilant, so that they’re not putting their users at undue risk the way that ProBoards seems to be doing.

On proboards.com, we have detected hundreds of unique exploits, and we estimate thousands of sub-domains may actually be affected. When we visited one of the hacked ProBoards sub-domains we were redirected to advancedhunt.com, which hijacked our browser to display deceptive warnings of spyware infestation followed by a stealth installation of the rogue anti-spyware program PestTrap.

We are contacting the providers and will keep you posted. In the meantime, users should be very cautious of any sub-domains on these sites.

We will soon be marking these sites red until the providers clean up their acts. The irony is that many providers have recently proclaimed increased concern about anti-malware. We wish they would direct some of that concern to themselves and spend some time to clean up their own sites.

Harry Sverdlove, the developer of our exploit crawl, found one recently that is too "good" not to share. It's reminiscent of the shock sites we looked at recently and remarkably easy to execute. The tricks begin with the domain itself -- http(colon)//www777.bravehost.com. By creating a cleverly named sub-domain, the creator of the hack borrows the legitimacy of the parent domain. But that's a minor point.

Take a look at the following video (7.5MB .mov file) and then read Harry's analysis of what's going on behind the screen.

The Exploited
It's actually amazing how simple this little puppy is. It doesn't seem to actually cause any permanent damage (aside from possibly crashing your system and annoying the heck out of you). It doesn't even seem to rely on any actual browser vulnerabilities – just stupid things the browser allows, and references to various other sites. Even calling this an "exploit" is probably a stretch.

The Ads
Before the fun can begin, three copies of the same hoster advertising are shown, containing some random banners ads (from mercury.bravenet.com) and popup advertising windows (from jupiter.bravenet.com).

The Gross
Then three truly offensive pictures are shown (taken from some user's home page at geocities.jp). If you want to see them – and please be warned these are just gross – replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/sexy_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/kawaii_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/albarosa_good.JPG

Followed by 99 repeats of a blood curdling scream. Again, replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/bittkuri_voice.wav

The Taunt
Then you get treated to four copies of a flash movie singing about what an idiot you are. See:

http(colon)//www.albinoblacksheep.com/flash/you.html

(Note: Many anti-virus engines will flag on the above link, including McAfee (which detects this as "JS/Winbomb trojan"). This is because the JavaScript contains commands to move the browser window around making it hard to close. If you are using IE6 or later, or FireFox, that functionality is no longer allowed so you will not see this behavior. In any case, the behavior is not damaging, just annoying.)

The Visual
Then the fun begins, and it's really too bad – because this occurs too soon after the above prelude, so most people won't even see what happened above.

A script opens 200 telnet windows, all of them trying to contact www.warez.com. In and of itself, this probably doesn't do anything damaging to your system (except to eat up resources and bandwidth, and possibly overload warez.com) but it does make for a rather dramatic visual effect.

Aside from the distraction, it could serve another purpose – there are a number of exploits which can be used to overwrite the default telnet.exe program. If that were accomplished by the earlier code, then the new/infected "telnet.exe" would be easy to launch from a browser by simply embedding "telnet://" urls as is being done here. In our tests, we did not observe telnet.exe being overwritten.

It's amazingly simple how this can be achieved using two lines of JavaScript. (Contact us directly for details).

The Finale
After the "telnet effect", there is a simple piece of JavaScript that enters an infinite loop trying to view random files on drive A: (typically the floppy disk drive). This basically will hang the browser, likely open an infinite number of Notepad windows, display an infinite number of "Drive not ready" messages (assuming there actually isn't some readable media in A:) and eventually just start displaying crash dialog boxes. The combination of this and the earlier telnet windows, songs, and nasty images and you are likely to just throw the computer away if it hasn't already crashed on you.

What is remarkable is how easy it is to hose a system with another short piece of JavaScript code. (Contact us directly for details). That's all it takes to grind a browser to a halt, pound your A: drive into submission, and overload Windows by launching too many processes.

Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.

To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Replace the word 'colon' to visit this page. We recommend using a virtual machine to visit.) Clicks can then direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.

About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.

To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.

This particular wave of spam claims to come from a man named Pierre Boutin and is aimed at Francophones. We've also seen versions in English but the product is the same - a rogue program which gives you false warnings about viruses, then encourages you to buy the fake anti-spyware software -- which may even make things worse, according to research from Sunbelt Software.

The application has been around for awhile in a variety of forms. For example, you may have seen popups that look like Windows warning dialogs and say "If your computer has been running slower than normal, it may be infected with Viruses, Adware, or Spyware."

A misleading popup designed to look like a Windows dialog.

That's the same application. It also goes by the names ErrorSafe, DriveCleaner, WinAntiSpyware, ECsecured and WinAntiVirus. Sunbelt has also found Winfixer promoted on a series of fake security sites.

Another variant of the same application goes under the name of PrivacyProtector. The PrivacyProtector website is currently rated green by SiteAdvisor, because it hasn't had any downloads for us to test. However, we'll be overriding that to red shortly, based on its association with WinFixer.

There's already a class-action lawsuit against the makers and distributors of the program. The lawyer who leads the action (quoted in this Silicon Valley television news investigation) claims that WinFixer generates as much as $34 million per year in ill-gotten revenue:

The plaintiffs are having trouble locating the actual scammers, though: according to Wikipedia, the application and its associated domains have an ownership trail that runs through the UK, the Ukraine, and Belize.

At any rate, if you find an offer to install WinFixer or any of its relatives, don't. And if it installs itself, don't pay for it-- look for a way to get rid of it, instead. You can protect yourself by using SiteAdvisor, and also by using the Firefox web browser, which may be somewhat more resistant to automatic installation attacks.

Actually, they did something a little trickier than that: They set up a redirect from there to another red site, impliedscripting dot com, and then from there to the red site repuc dot info and finally from that to the security-risk porno site advancedhunt dot com. On Advanced Hunt, files continue to load from a series of sites identified only by IP address.

Unfortunately for any unsuspecting race fans, the trouble doesn't end there. Our exploit expert Harry says the site is also host to Spy Sheriff, a program that pretends to be anti-spyware and is nearly impossible to remove once it's installed. Spy Sheriff, also known as "Pest Trap," tries to trick computer users into buying the program by warning them about made-up threats to their systems.

Here's a video-- watch the status bar in the lower left corner of the window as it cycles through the different risky websites. Then, notice the dialog that pops up warning about infections: that's Spy Sheriff.