SiteAdvisor Adds Search Safety
Since its inception, Security Fix has warned Microsoft Windows users to be extremely wary of clicking on Web links that arrive via instant messenger or e-mail, as these are the most common ways that malware spreads online today. But the sad truth is that for many Internet users, clicking on unfamiliar links that turn up in Google, MSN or Yahoo search results frequently expose users to security risks.
For the past few weeks I've been surfing the Web with the help of the beta version of a browser add-on called SiteAdvisor, a tool that offers users a fair amount of information about the relative safety and security of sites that show up in Internet searches. As I played around with this program, it became clear that this is a tool that not only allows users to make informed security decisions about a site before they click on a search result link, but it also holds the potential to fuel a more informed public dialogue about the often murky relationship between Fortune 500 companies and the spyware and adware industry.
But more on the Fortune 500 stuff later. SiteAdvisor is a browser add-on for Firefox or Internet Explorer that tries to interpret the relative safety of clicking on Web search results. With SiteAdvisor installed, each listing is accompanied by a small color-coded icon that indicates whether the software developers have received any reports of scammy, spammy or outright malicious activity emanating from the site.
The software gets its intel from a proprietary "spidering" technology that crawls around the Web much the same way as search engines do. The company's spiders browse sites with the equivalent of an unpatched version of IE to see if sites try to use any security exploits to install spyware or adware on a visitor's machine.
"Our attitude is, if a site gives you an exploit with an older version of IE, it's probably not one you want to visit with a newer version," said Chris Dixon, one of SiteAdvisor's co-founders.
If you use IE and try to visit any site that the program has seen using security vulnerabilites to install software, the program immediately redirects you to a SiteAdvisor page offering more information on the threat posed by the site (users can still chose to visit the site if they so wish after the initial warning). All such sites will earn a big red "X" next to their search listing, as will others that threaten to bombard suscribers with junk e-mail or have questionable relationships with third-party advertisers or shady Web sites.
Hover over the red "X" with your mouse arrow and a small window appears urging you to exercise "extreme caution" in visiting the site. If you then visit the site, a red dialogue box emerges that offers a brief description of why SiteAdvisor doesn't like it.
SiteAdvisor also may assign a green check mark (all clear), a yellow exclamation point (some fishy behavior found) or a grey question mark (not enough info to assign a rating yet), though I only enountered one or two grey marks in my browsing. Regardless of the rating a site receives, each time you hover over a rating it gives you an unobtrusive dialogue box that includes a "more info" link which users can click on to read a more detailed description of the threat as SiteAdvisor sees it.
I searched for "lyrics" in Google (song-lyrics sites are notorious for using exploits to install adware and spyware), and at the time of this writing the first results page turned up two listings earning red marks. Clicking on the "X" next to lyricsplanet.com, for example, brings up a page that includes a ton of additional info, including a warning that reads: "In our tests, we found downloads on this site that some people consider adware, spyware or other unwanted programs."
Drill down to the link underneath that says "More Detailed Analysis," and we see that the badware Lyricsplanet tries to install is known as "ImIServer IEPlugin," which earns a six out of a possible 10 on SiteAdvisor's "Nuisance Score." Below the meter is a link to anti-spyware vendor PestPatrol's writeup, on the this bugger, which flags it as adware that bombards the user with pop-up ads and tracks their online activities.
I decided to test SiteAdvisor's claims by visiting Lyricsplanet.com with a fresh (unpatched) Windows XP version of IE, and received a pop-up asking me if I wanted to install IEPlugin. My testing was interrupted by a phone call, but when I returned to the browser I noticed another installation popup, that said "Install Search Update?" with a radio button already checked for me next to the text "I accept the agreement." My options were "accept" or "finish," and I had to uncheck the agreement box to unmask the "abort" option. Hitting "abort" popped up another box that said "Please click yes to proceed with installation." I clicked no, and the box closed, only to reveal the "Intelligent Explorer" toolbar installed on my desktop and in all IE windows.
A look in Windows' "Add/Remove Programs" list showed that the site had also installed three other programs: "Netmon," "Command" and another program called "Tsa.exe." All of these are designed to either snoop on your browsing habits or randomly generate pop-up ads, according to writeups at various anti-spyware forums that track programs like IEPlugin. I received all of that after having declined the installation.
When I went back to the site again and accepted the install of IE plugin, I was immediately bombarded with a massive number of pop-up ads for companies including Verizon Wireless, Cingular and Classmates.com. Shortly after displaying about nine such ads, Internet Explorer crashed, taking the pop-ups with it.
Clicking on the red X next to the other suspicious listing on our "lyrics" search results in Google -- a "sponsored link" paid for by www.rewardsgetaway.com -- and we find that this site was flagged because users who sign up can expect to receive no fewer than 134 e-mails a week as a result. SiteAdvisor knows this because on any site that asks for an e-mail address, the company signs up with a unique e-mail address that is not used anywhere else for any other purpose. That way, the company can track how many e-mails users can expect to receive from a given site each week should they fork over their e-mail address.
Here's where the part about Fortune 500 advertisers comes in. Check out each "more info" page and you'll see a graphic that shows which other sites have an advertising relationship with the Web site you're examining. For example, SiteAdvisor says Lyricsplanet.com is linked via advertising (pop-ups, banner ads or e-mail promotions) to absolutelyrics.com, a site which the software flagged as deceptive or fraudulent.
At first, it was difficult to understand why absolutelyrics.com received such a bad review. After all, it didn't try to foist adware onto my browser or bombard me with requests to sign up for spammy e-mail lists. Rather, SiteAdvisor's advertising relationship graphic shows it has ties to a slew of Web sites offering to sell software or other products available elsewhere for free. Absolutelyrics.com is related to several sites asking for a fee to register immigrants in the U.S. Green Card Lottery -- a legitimate program that grants U.S. visas to about 50,000 people each year at no cost.
Browse the Web long enough with SiteAdvisor and you'll find this kind of dynamic at work most prominently in paid search ads. Enter "Internet Explorer" in Google and you'll see that the top paid result is for a site called "freedownloadhq.com," which tries to sell you a copy of IE. Microsoft gives IE away for free (indeed, you'd be hard-pressed to find a version of Windows that doesn't include it). Google for "Winamp," a popular media player (available for free from the legit site) and you'll see freedownloadhq.com at the top again. You might be asking whether people can get fooled by this type of trick, but if the complaints at just this one site are any indication, there are plenty of takers.
At an anti-spyware coalition conference in D.C. last month, FTC Commissioner Jonathan Leibowitz noted that the only way to really make a dent in the adware and spyware problem is to "out" the big companies who pay shadowy third-party adware companies to market their products. SiteAdvisor could be an incredibly useful tool in helping reporters and researchers do just that. The company is making access to its databases free for non-commercial use under the creative commons license.
"I bet a lot of these larger companies would freak out if [their executives] knew exactly who they were paying to run their ads, because a lot of the bad practices we're seeing ... [are] happening because advertising companies [go] through five levels of intermediaries to get their clients' ads out there," Dixon said. "The public shaming of these companies is critical, because it takes away the 'plausible deniability' excuse."
Each SiteAdvisor site profile contains a "comments" space where any registered reviewer can add their 2 cents. Dixon said the company is working on a "reputation-based system" that would allow fellow members to rate the comments of SiteAdvisor members, thus giving more weight to reviews offered by individuals with a better reputation.
The company is headed by Dixon and a bunch of other students and graduates of the Massachusetts Institute of Technology, and as such it has received a fair amount of venture funding from Bessemer Venture Partners. Its board of directors includes Ben Edelman, one of the nation's preeminent anti-spyware activists and a Ph.D. student at Harvard University, and Avi Rubin, a professor of computer science at Johns Hopkins University.
Dixon said the company's long-term plan is to offer its basic services for free, charging only those companies that want to incorporate the technology into their products, such as instant-messaging applications or e-mail clients.
A couple of minor gripes about SiteAdvisor: For one thing, while there are exploits that allow malicious sites to install software on unpatched Firefox browsers, SiteAdvisor does not currently scan sites for these threats. Also, the company's site database is extensive, but not authoritative. I found a handful of Internet addresses that have been flagged by anti-virus and anti-spyware firms as serving up malware that were marked "safe" by SiteAdvisor. (The company appears to have fixed a problem that blocked site evaluations if users had chosen to nix IE pop-ups.).
Posted by: Steve | February 28, 2006 8:39 AM | Report abuse
Posted by: Jeff | February 28, 2006 10:08 AM | Report abuse
Posted by: HP | February 28, 2006 11:37 AM | Report abuse
Posted by: charlie in ogden | February 28, 2006 11:57 AM | Report abuse
Posted by: Ashley in Richmond | February 28, 2006 12:09 PM | Report abuse
Posted by: DOUGman | February 28, 2006 12:41 PM | Report abuse
Posted by: Disappear | February 28, 2006 2:46 PM | Report abuse
Posted by: Hadov | February 28, 2006 4:47 PM | Report abuse
Posted by: flaggermom | February 28, 2006 5:31 PM | Report abuse
Posted by: almag | February 28, 2006 6:28 PM | Report abuse
Posted by: ezduzit | February 28, 2006 6:46 PM | Report abuse
Posted by: Bk | February 28, 2006 6:55 PM | Report abuse
Posted by: oldkec | February 28, 2006 8:34 PM | Report abuse
Posted by: Mark Odell | March 1, 2006 12:00 AM | Report abuse
Posted by: Ken L | March 1, 2006 3:48 PM | Report abuse
Posted by: andrew | March 1, 2006 6:26 PM | Report abuse
Posted by: Richard Muller | March 1, 2006 7:48 PM | Report abuse
Posted by: jim | March 2, 2006 1:29 PM | Report abuse
Posted by: Teresa Binstock | March 5, 2006 11:47 AM | Report abuse
Posted by: Robert | March 5, 2006 7:27 PM | Report abuse
Posted by: ashley krebs | March 7, 2006 2:22 PM | Report abuse
Posted by: Anonymous | March 11, 2006 4:40 AM | Report abuse
Posted by: Martin | March 12, 2006 10:31 AM | Report abuse
Posted by: Eric | April 5, 2006 7:08 AM | Report abuse
Posted by: Brett | April 5, 2006 7:11 AM | Report abuse
Posted by: Jennifer Hershey | April 16, 2006 6:59 PM | Report abuse
Posted by: Milene | April 30, 2006 4:21 PM | Report abuse
Posted by: Yaniv | June 6, 2006 5:05 AM | Report abuse
Posted by: Charles Valentin | June 28, 2006 8:41 AM | Report abuse
The comments to this entry are closed.