SiteAdvisor doesn’t interfere with OneCare in any way; we communicated this to Microsoft and they’ve begun to resolve the issue.

As of February 21st, new installations of OneCare will not message against SiteAdvisor. However, existing users of OneCare will continue to receive these messages until sometime in the spring, when Microsoft says it will fix OneCare installations made prior to February 21.

Turns out that as a general rule, Microsoft recommends running only one security application at a time because of potential performance and "PC stability" issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed.

Rest assured, there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!).

Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched. Thanks for your patience during this time.

We’re finishing a patch now that will go out to all our users the week of December 10.

In the meantime, add google.com to SiteAdvisor’s Do Not Warn list and reopen the browser. Doing so will alleviate the issue.

For step-by-step instructions, please visit McAfee's support center.

Here's what's changed: Under the new privacy policy, we can now share these anonymous statistics with partners. Examples of these statistics would be the number of active SiteAdvisor users in a day, or the number of times users 'mouse over' SiteAdvisor's safe search ratings.

Here's what hasn't changed: We do not collect any personally identifiable information from SiteAdvisor users, whether the user is in the PIP or not. The PIP remains purely optional and by default, SiteAdvisor users do not participate. Users who opt-in to the PIP can still leave at any time by clicking on the settings menu found on the McAfee SiteAdvisor logo.

Dot TK, the private company that administers the domain on behalf of Tokelau (a territory of New Zealand), says it will install a system to filter malicious content. According to the CEO of Dot TK, the McAfee report spurred the new process: “We saw a decline of approximately 10% of new registrations in the countries where this report hit the press.”

According to press reports, Tokelau earns a double digit percentage of its GDP from revenue generated by the .tk domain.

Thanks to the hundreds of thousands of people who took our phishing quiz. We're now examining the results. Look for more interactive features from McAfee in the future!

Can you spot the phish?

How well can you spot phishing sites? Many of the readers of this blog are pretty savvy when it comes to security issues. So, we’ve created a deceptively easy but devilishly hard 10-question phishing quiz. Are you up to the challenge?

Our Phishing Quiz follows on the heels of our Spyware and Spam quizzes. More than 120,000 test results later, we can safely say that we have a lot of work left to do. The average score for the spyware quiz was 59%. For the spam quiz, 55%.

MailFrontier published the first phishing quiz back in 2004. Given the persistence and mutability of this plague, we thought it was time to revisit the issue. Whether it's rockphishing, or Flash phish or MySpace scams, phishing continues to evolve and ensnare both the ignorant – the people who don’t know better – and the arrogant – the people who should know better. And victims continue to lose real money. According to Gartner, per victim losses soared from $257 in 2004 to $1,244 in 2006. That’s nearly a 5-fold increase.

We encourage folks to share the quiz with friends and family. Use your expertise and the opportunity presented by the quiz to share some of our hard earned collective knowledge about phishing. Who knows? We might even save a few people from getting hooked.

The examples above may be indicative of a trend of hosters being targeted for attack. That, in turn, is affecting hundreds or even thousands of their sub-domains. In the wake of this threat, hosting providers need to be more vigilant, so that they’re not putting their users at undue risk the way that ProBoards seems to be doing.

On proboards.com, we have detected hundreds of unique exploits, and we estimate thousands of sub-domains may actually be affected. When we visited one of the hacked ProBoards sub-domains we were redirected to advancedhunt.com, which hijacked our browser to display deceptive warnings of spyware infestation followed by a stealth installation of the rogue anti-spyware program PestTrap.

We are contacting the providers and will keep you posted. In the meantime, users should be very cautious of any sub-domains on these sites.

We will soon be marking these sites red until the providers clean up their acts. The irony is that many providers have recently proclaimed increased concern about anti-malware. We wish they would direct some of that concern to themselves and spend some time to clean up their own sites.

Harry Sverdlove, the developer of our exploit crawl, found one recently that is too "good" not to share. It's reminiscent of the shock sites we looked at recently and remarkably easy to execute. The tricks begin with the domain itself -- http(colon)//www777.bravehost.com. By creating a cleverly named sub-domain, the creator of the hack borrows the legitimacy of the parent domain. But that's a minor point.

Take a look at the following video (7.5MB .mov file) and then read Harry's analysis of what's going on behind the screen.

The Exploited
It's actually amazing how simple this little puppy is. It doesn't seem to actually cause any permanent damage (aside from possibly crashing your system and annoying the heck out of you). It doesn't even seem to rely on any actual browser vulnerabilities – just stupid things the browser allows, and references to various other sites. Even calling this an "exploit" is probably a stretch.

The Ads
Before the fun can begin, three copies of the same hoster advertising are shown, containing some random banners ads (from mercury.bravenet.com) and popup advertising windows (from jupiter.bravenet.com).

The Gross
Then three truly offensive pictures are shown (taken from some user's home page at geocities.jp). If you want to see them – and please be warned these are just gross – replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/sexy_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/kawaii_gal.JPG
http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/albarosa_good.JPG

Followed by 99 repeats of a blood curdling scream. Again, replace the word 'colon'.

http(colon)//www.geocities.jp/manave_kawori/chou_bittkuri_hieee/kyouretsu_ver/bittkuri_voice.wav

The Taunt
Then you get treated to four copies of a flash movie singing about what an idiot you are. See:

http(colon)//www.albinoblacksheep.com/flash/you.html

(Note: Many anti-virus engines will flag on the above link, including McAfee (which detects this as "JS/Winbomb trojan"). This is because the JavaScript contains commands to move the browser window around making it hard to close. If you are using IE6 or later, or FireFox, that functionality is no longer allowed so you will not see this behavior. In any case, the behavior is not damaging, just annoying.)

The Visual
Then the fun begins, and it's really too bad – because this occurs too soon after the above prelude, so most people won't even see what happened above.

A script opens 200 telnet windows, all of them trying to contact www.warez.com. In and of itself, this probably doesn't do anything damaging to your system (except to eat up resources and bandwidth, and possibly overload warez.com) but it does make for a rather dramatic visual effect.

Aside from the distraction, it could serve another purpose – there are a number of exploits which can be used to overwrite the default telnet.exe program. If that were accomplished by the earlier code, then the new/infected "telnet.exe" would be easy to launch from a browser by simply embedding "telnet://" urls as is being done here. In our tests, we did not observe telnet.exe being overwritten.

It's amazingly simple how this can be achieved using two lines of JavaScript. (Contact us directly for details).

The Finale
After the "telnet effect", there is a simple piece of JavaScript that enters an infinite loop trying to view random files on drive A: (typically the floppy disk drive). This basically will hang the browser, likely open an infinite number of Notepad windows, display an infinite number of "Drive not ready" messages (assuming there actually isn't some readable media in A:) and eventually just start displaying crash dialog boxes. The combination of this and the earlier telnet windows, songs, and nasty images and you are likely to just throw the computer away if it hasn't already crashed on you.

What is remarkable is how easy it is to hose a system with another short piece of JavaScript code. (Contact us directly for details). That's all it takes to grind a browser to a halt, pound your A: drive into submission, and overload Windows by launching too many processes.

Well, they'd want it for a number of reasons. One would be to spam your friends through the MySpace comment and message system-- people are far more likely to open a message if it appears to come from a friend or acquaintance, after all. They can also use your MySpace profile to direct your friends and acquaintances to dangerous or unscrupulous websites. Finally, they can try your username and password combination on other websites: maybe myspace.com/secretlyironic has the same password as secretlyironic@yahoo.com, and maybe there's a bank account with that same user name and password. We don't have to tell you what happens then.

To start harvesting passwords, an attacker starts with a fake profile of their own, and begins collecting friends and posting on messageboards to attract traffic to the profile. As we discussed in an earlier post, it's easy enough to overlay a transparent image on a page like this one (Replace the word 'colon' to visit this page. We recommend using a virtual machine to visit.) Clicks can then direct readers to any site you like. Password thieves will use that trick to get victims to a page that looks exactly like a MySpace login screen, and prompt them to login. When they do, they'll end up back at the MySpace home page, apparently logged in. It looks like an accidental logout, but it's not: they've just handed their credentials to a stranger.

About 90% of the phishing sites we find and flag as red are aimed at MySpace, and many of them have names designed to look like MySpace-related URLs: loginyspace, myspacev, and rmnyspacies, and so forth. They also come and go quickly-- none of those sites even exists right now.

To avoid getting caught, always double-check the URL when you get an unexpected login prompt. To minimize damage if you do get hacked, use different passwords for your social networking account and your bank account, and report any unauthorized access immediately.

This particular wave of spam claims to come from a man named Pierre Boutin and is aimed at Francophones. We've also seen versions in English but the product is the same - a rogue program which gives you false warnings about viruses, then encourages you to buy the fake anti-spyware software -- which may even make things worse, according to research from Sunbelt Software.

The application has been around for awhile in a variety of forms. For example, you may have seen popups that look like Windows warning dialogs and say "If your computer has been running slower than normal, it may be infected with Viruses, Adware, or Spyware."

A misleading popup designed to look like a Windows dialog.

That's the same application. It also goes by the names ErrorSafe, DriveCleaner, WinAntiSpyware, ECsecured and WinAntiVirus. Sunbelt has also found Winfixer promoted on a series of fake security sites.

Another variant of the same application goes under the name of PrivacyProtector. The PrivacyProtector website is currently rated green by SiteAdvisor, because it hasn't had any downloads for us to test. However, we'll be overriding that to red shortly, based on its association with WinFixer.

There's already a class-action lawsuit against the makers and distributors of the program. The lawyer who leads the action (quoted in this Silicon Valley television news investigation) claims that WinFixer generates as much as $34 million per year in ill-gotten revenue:

The plaintiffs are having trouble locating the actual scammers, though: according to Wikipedia, the application and its associated domains have an ownership trail that runs through the UK, the Ukraine, and Belize.

At any rate, if you find an offer to install WinFixer or any of its relatives, don't. And if it installs itself, don't pay for it-- look for a way to get rid of it, instead. You can protect yourself by using SiteAdvisor, and also by using the Firefox web browser, which may be somewhat more resistant to automatic installation attacks.

Actually, they did something a little trickier than that: They set up a redirect from there to another red site, impliedscripting dot com, and then from there to the red site repuc dot info and finally from that to the security-risk porno site advancedhunt dot com. On Advanced Hunt, files continue to load from a series of sites identified only by IP address.

Unfortunately for any unsuspecting race fans, the trouble doesn't end there. Our exploit expert Harry says the site is also host to Spy Sheriff, a program that pretends to be anti-spyware and is nearly impossible to remove once it's installed. Spy Sheriff, also known as "Pest Trap," tries to trick computer users into buying the program by warning them about made-up threats to their systems.

Here's a video-- watch the status bar in the lower left corner of the window as it cycles through the different risky websites. Then, notice the dialog that pops up warning about infections: that's Spy Sheriff.

It's an extreme example of an issue the Web has long struggled with -- how to deal with trolls: people who derive a special joy in annoying, offending, disrupting, and threatening other people online. One (non-violent) kind of trolling is called crapflooding -- joining a blog or forum to provoke controversy or just crowd out conversation by posting nonsense. The sheer volume of comments can sometimes overwhelm servers.

In other words, they're jerks.

SiteAdvisor's take on shock sites

SiteAdvisor flags trolls as "red," not for obnoxious behavior, but for noxious coding. In a favorite tactic, trolls trick people into visiting shock sites, web pages designed to horrify. For example, someone might join a technical discussion to say "I've found a relevant whitepaper on the topic over here..." and then link to the shock site instead. The best-known is "goatse" which prominently features a man's distended anus. Links to the goatse page were so common in Slashdot discussions that the site owners had to develop a series of countermeasures aimed at making it more obvious where links were headed. They were only somewhat effective.

Perhaps the most ambitious shock site yet was produced in 2005 by the trolling group GNAA. Called "Last Measure," it combines JavaScript, Java, and Flash exploits to open hundreds or thousands of browser windows which move around the screen. Each window displays a randomly selected medical or sexual anomaly from around the world, and a dozen or so embedded media players which scream "Hey everybody! I'm looking at gay porno!" If you've accidentally clicked on it at work, and happen to have speakers on, expect everyone to come see just what you've done. Then be prepared to try to undo some damage: it's probably gotten into your registry. On some systems, Last Measure will also attempt to start email and IRC clients. Even on our relatively secure Windows XP test machine, with popup-blocking turned on, we had to reboot to get rid of the page.

Want to see what it looks like? Here's a video. We've clipped the porn out, but left in the unsettling medical photos and screaming.

Taking the Last Measure to MySpace

Mirrors of the Last Measure code have cropped up on a few sites around the web, including this one, flagged as red by SiteAdvisor. Message-board pranksters have been playing the same games with it as usual: we spotted a MySpace group where all the links are switched to Last Measure sites (click here if you really want to see it). They achieved this not through some secret hack, but with relatively simple HTML: MySpace lets users post linked images in messages. GNAA posted a message with a transparent image set to cover the entire page, and linked that image to Last Measure.

Images on this MySpace Forum re-direct to a Last Measure mirror site

Note in particular the "u=" argument on the linked URL. It allows the GNAA member "timecop" to take credit for everyone who clicks through to Last Measure from this page.

What's the motivation of the Last Measure gang? It's hard to tell. There might be a financial angle: if the registry changes create security holes, GNAA members could come back later and install adware or spyware, or simply sell the addresses of compromised systems to third party attackers. On the other hand, they could be doing it because they enjoy ruining it for everyone else. Taking credit in the URL argument seems to point to some kind of a contest between timecop and other GNAA members over who can trick more people into visiting the shock sites.

Whatever the motivation, the losers in this battle are clear -- forums and blogs that become unusable and the consumers, often kids, who are exposed to hateful content. SiteAdvisor will continue to flag these kinds of sites red.

Uh oh.

There are numerous renaissance festivals named after King Richard, most of which are good family fun. But one fairground, King Richard' s Park.com, isn't exactly worth a trip. Instead, it's a site that behaves in a most unchivalrous fashion: when we visited, it installed a toolbar on our system without even asking for permission.

The page you were really looking for: legitimate site kingrichardspark.NET.

Rogue toolbars can do just about anything (see this Ars Technica article on malware for background and some examples) but in this case, it's serving up unrequested, unwanted advertising as part of the notorious CoolWebSearch system.

But to be honest, we don't even have to know what it does to know that it's up to no good. If you found an intruder in your living room at three in the morning, you'd know something was wrong. If they had any business being in your home, they would have knocked.

King Richard's Park is a great example of a site that uses two tricks at once. It attracts visitors by using a URL and keywords which are confusingly similar to legitimate pages, and then uses a broswer exploit to install software without permission.

Who suffers? The consumer who makes the typing mistake and the legitimate business that lost a potential customer. In this case, most visitors are probably looking for King Richard's Family Fun Park, or a renaissance festival like the one described at kingrichardsfaire.net. If you're looking for 16th-century-themed fairs and events in your area, try the list at renaissancefestival.com.

Note: as of press time, the exploit seems to have been removed from the website, but it remains a misleading URL.

But that's not always the case. As with so many other Web safety mistakes people make, there are people out there waiting to take advantage. One of the most common scams is called typosquatting - the act of buying up common misspellings and waiting for people, and profit, to stumble in. When someone arrives at the page by accident, the squatter typically shows them ads, hoping to make a few cents if someone clicks on one. As more people click on on the ads, those cents add up. It doesn't take a lot of traffic to make a profit. According to an analysis by Microsoft a parked domain needs only one unique visitor every two days to cover its basic costs.

Because typosquatters are sites people usually want to avoid, and because they sometimes bring users to even less savory locations or show pornographic ads, SiteAdvisor recently started rating them yellow. We wanted to share a few interesting finds.

One domain site that's attracted a lot of typosquatters is the mortgage site LendingTree. In fact, we found 77 misspellings designed to cash in on LendingTree's popularity. There's big money to be made in mortgage referrals, so it's not surprising that there are a lot of people seeking to cash in, ethically or not. Let's start with lewndingtree.com, a rather typical typosquatter: it's just a placeholder page full of mortgage and home-finance related advertisements. For some people, that's mildly annoying, but it's not too difficult to notice and head back the other way. However, some fraction of lendingtree.com searchers will click on one of these sponsored links which in turn will pay the owner of "lewndingtree" a fee. Since they don't fill the screen with popups or try to compromise a visitor's computer, we count them as merely annoying.

A typosquatting web page with advertisements.

Another common variation is redirecting users to the site they meant to go to, but charging the destination for the service. In this case, the consumer doesn't suffer, but LendingTree does, because it pays the parasite for the traffic. For example, "lsndingtree.com" redirects to a LendingTree page with affiliate-tracking in the URL. In other words, they're billing LendingTree for a new customer referral as though they had made a recommendation the user actually considered-- while that user was already going to the site anyway!

Other redirects include lenndingtree.com, which immediately sent us to a site advertising a very expensive exercise contraption, and le.ndingtree.com, which seemed to be full of ads for different kinds of tree-related advice and services. It just seems totally bizarre to serve these kinds of off-topic ads when you know your victims want to hear about mortgages. Perhaps it didn't make sense to the typosquatters, either: the first site disappeared some time last week.

We were redirected to this page from another typosquatter.

Of course, that doesn't mean that every typo is an invitation to trouble. For example, Google owns gogle.com, which redirects visitors to the main Google page without a word. Still, no matter how many misspellings they do buy, legitimate Web sites can't get all the variations on their names, and there are plenty of targets: the owner of "lsndingtree.com" also owns a similar site, "hritishairways.com," aimed at poaching traffic from British Airways.

In the future, we'll look at other aspects of typosquatting from the economics of typosquatting to the science of picking which misspellings will get the most traffic. In the mean time, be extra careful typing the URL for financial services sites.

But first, a quick clarification about how reviewer comments affect a site's rating. Reviewer comments never automatically change a site's rating. All comments are reviewed by SiteAdvisor to determine when a preponderance of credible evidence indicates a ratings change may be warranted. That means that a given site is not subject to an automatic ratings change by, say, a malicious competitor who posts unsubstantiated negative comments.

So what types of reviews are most likely to be deemed credible, and thus have an impact on a site's rating?

Five Ways to Make Your Reviews Stand Out

1) Identify a scam site we haven’t found yet:

SiteAdvisor staffers try to flag scam sites that would be nearly impossible for our automated ‘bots to catch. For example, we warn about work-at-home sites that promise fantastic pay-outs in return for up-front payment, ringtone sites that employ automatic rebilling without full or adequate disclosure and other sites that sell products or services which are normally available for free. But we can’t find them all. Submit a review about a scam site and clearly explain why it is misleading or deceptive. It’s extra helpful to judge it based on criteria developed by third parties like the U.S. Federal Trade Commission.

2) Refer to the research of other well-established security researchers:

We don’t monitor all the white hats out there conducting their own research. For example, if you find a site with a security breech and the experts at SpywareWarrior, VitalSecurity, or CastleCops agree with you, add a link in your comment to their findings.

3) Weed out False-Positives:

A false-positive refers to a site that received a red rating but actually deserves a green one. This doesn’t happen often, but when it does, it’s often because our automated testing flagged a download from a utilities site or a security researcher. For example, we rated factbites.com as yellow until a user wrote in to clarify that it is a research oriented site that should have been green.

4) Strength in numbers:

The more users who complain about a site rating (particularly users with high reputation scores), the more seriously we’ll consider a reported Web safety issue. That said, while we respect what every reviewer has to say, we don’t always agree. (See the newgrounds.com example from Part 1 of this feature)

5) Be prolific and insightful:

Here’s a case where it pays to do your homework and write often. The more often you submit a review and the more insightful your reviews, the higher your reputation score will become.

Rating posts affects reputation.

Every time a fellow reviewer clicks “yes,” your reputation accumulates more points. Get enough points and your reputation score (out of maximum of 9) goes up.

The higher your reputation, the more weight we will give to your comments. To see our list of reviewers ranked by reputation score, click here.

Two Things to Avoid

1) “Bad” Language:

Profanity and flame wars are not helpful for site ratings, and we'll often remove posts with such language.

2) Vendettas:

This is not the forum to conduct a personal vendetta against a site. If you had a bad e-commerce experience, by all means, share. Include as much detail as possible: was the customer service non-existent? Was the advertising misleading? How? Did the product never arrive? But if you and the site owner are headed for court, leave the depositions with the lawyers. We reserve the right to truncate or remove long, rambling rants, particularly when they become personal.

Three Possible Reasons Your Review Didn’t Change the Site’s Rating

1) Inability to confirm the data:

We encourage you to include details in your posts like your virus scanner alerts, but sometimes, we can’t replicate the result with our own scan. Since we re-test on a regular basis, if the site truly has a safety issue, we’ll catch it sooner or later and document the issue.

2) Not enough time to confirm the data:

Many of our most prolific community members paste the headers and text from spammy e-mails they believe they received from the site in question. With e-mail in particular, however, it takes time to prove that a sign-up at that site results in spammy e-mail, and we'll generally want to recreate and document the issue ourselves before changing a site's rating. (Take a look at the extensive process we go through here). But such comments are still helpful, and allow us to prioritize sites for additional testing. Where there’s smoke, there’s often fire.

3) Not enough data:

We aren’t likely to change a site’s rating based on a single reviewer experience. Especially for e-commerce sites, a single bad experience, no matter how egregious, could be a fluke. We typically require a critical mass of reviewer feedback to accumulate before we change a site’s rating.

Your Suggestions

SiteAdvisor’s Web safety rating system is far richer because of the invaluable human component provided by our volunteers reviewers. We’d like to know your suggestions for Reviewer Central. You can let us know through the comments section of this post.