Protect Yourself From Phishy Web Sites - A Roundup Of Antiphishing Software by Warren Ernst - January 2007 • Vol.7 Issue 1, Page(s) 74-78 in print issue of ComputerPowerUser Magazine. Since a pay-for subscription is required to access the whole article, here are a few important snippets;
Just when you thought you were safe to surf the ’Net with “merely” an antivirus and an antispyware program, a firewall, and a secure Web browser, another online threat arises, along with a matching set of tools to combat it. That threat, called phishing, is now becoming big business, both to the online scammers who are trying to reel you in and to the software writers who want to help you wriggle out of the phisherman’s net unscathed.
...snip...
I consulted a relatively new open-source antiphishing database called the PhishTank (www.phishtank.com), run by OpenDNS, in which motivated users submit “phishy” emails and Web sites. The site’s users inspect and vote on whether posted phishy sites are actually real phishing sites. The PhishTank also lists when the user first submitted the site, when it was verified, and if it is still online or dead. Early on a weekend morning (when I hoped eBay and online banking security officers would be sleeping), I tried accessing 60 “live” phishing sites on Web browsers equipped with different antiphishing tools. During the time it took to compile the list and start testing, 11 of the sites were already offline, and over the course of three hours, six more sites died. Clearly, antiphishing products have to aim at a moving target.
...snip...
Internet Explorer 7 with Windows Live Toolbar and Phishing Filter Add-In - Free - Microsoft - toolbar.live.com; addins.msn.com/phishingfilter - CPUs: 3.5
Firefox 2.0 with Google Toolbar and Safe Browsing - Free - Firefox/Google - www.google.com/tools/firefox/safebrowsing - CPUs: 4
eBay Toolbar with Account Guard - Free - eBay - pages.ebay.com/ebay_toolbar - CPUs: 3.5
Netcraft Toolbar - Free - Netcraft - toolbar.netcraft.com - CPUs: 4.5
EarthLink Toolbar with ScamBlocker - Free - EarthLink - www.earthlink.net/software/free/toolbar - CPUs: 2.5
Geo TrustWatch Toolbar - Free - GeoTrust - toolbar.trustwatch.com - CPUs: 2
McAfee SiteAdvisor - Free - McAfee - www.siteadvisor.com - CPUs: 1
Norton Confidential - $29.99 - Symantec - www.symantec.com - CPUs: 4.5
Antiphishing choices largely revolve around your favorite Web browser, but in this case, if you must have a free solution, your browser choice doesn’t matter. The Netcraft Toolbar is available for both Firefox and Internet Explorer, offers excellent phishing detection, has many other useful tools, and is the best free option in this roundup. Even though Norton Confidential isn’t free and is only available for Internet Explorer (for now), it did catch the most phishing sites in my tests and offers several compelling scam protections that make its price definitely worth considering.*
Current Ask Toolbar Practices - Last year I documented Ask toolbars installed without consent as well as by targeting kids. Ask staff claimed both practices were unacceptable, and promised to make them stop. Unfortunately, Ask has not succeeded.
In Current Practices of IAC/Ask Toolbars, I document notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask's prior promises. I document yet another installation of Ask's toolbar that occurs without user notice or consent. I point out why Ask's toolbar is inherently objectionable -- especially its rearrangement of users' browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask's practices with its staff's promises and with governing law -- especially "deceptive door opener" FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.* Read The Whole Article...
PPC Ads, Misleading and Worse - Read Google's voluminous Adwords Content Policy, and you'd think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can't advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?
As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising -- like selling products that are actually free, or promising their services are "completely free" when they actually carry substantial recurring charges. For example, the ad at right claims to offer "100% complimentary" and "free" ringtones, when actually the site promotes a services that costs approximately $120 per year.
In False and Deceptive Pay-Per-Click Ads, I show more than 30 different advertisers' ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word "free"), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.* Read The Whole Article...
Certifications and Site Trustworthiness - When a stranger promises "you can trust me," most people know to be extra vigilant. What conclusion should users draw when a web site touts a seal proclaiming its trustworthiness? Some sites that are widely regarded as extremely trustworthy present such seals. But those same seals feature prominently on sites that seek to scam users -- whether through spyware infections, spam, or other unsavory practices.
It's no great surprise that bad actors seek to free-ride on sites users rightly trust. Suppose users have seen a seal on dozens of sites that turn out to be legitimate. Dubious sites can present that same seal to encourage more users to buy, register, or download.
But certification issuers don't have to let this happen. They could develop and enforce tough rules, so that every site showing a seal is a site users aren't likely to regret visiting. Unfortunately, certification don't always live up to this ideal. Writing tough rules isn't easy, and enforcing them is even harder. Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue -- but get nothing for rejecting an applicant.
Today I'm posting Adverse Selection in Online "Trust" Authorities, an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe's ratings with the findings of SiteAdvisor -- where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests. Of course SiteAdvisor data isn't perfect either, but if SiteAdvisor says a site is bad news, while TRUSTe gives it a seal, most users are likely to side with SiteAdvisor. (Full disclosure: I'm on SiteAdvisor's advisory board. But SiteAdvisor's methodology speaks for itself.)* Read The Whole Article...
MS OneCare halts flow of antivirus info - By Woody Leonhard - When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields.
But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think?* This Is a MUST READ Article!!
On 08/02/2006 I posted a link to Scot Finnie's The Right Antivirus, Part V | Best Antivirus of 2006! article and then proceeded to add my own personal comments about what I thought about his test results. Nothing scientific there mind you, just my own personal comments.
I also sent Scot a link to my personal comments and asked him to respond. He did briefly respond by e-mail, and I added his comments to that post of mine. And I said I would update that post when he had more time to fully respond.
Well, he is a very busy person with all that he does for all of us and he has not been able to respond in more detail directly to me because of all the responses he received from his newsletter readers on this particular article. However, he did address my concerns, along with those of his readers, in his September 14, 2006 Newsletter and I owe him, and all of y'all, an apology for not adding this sooner...Sorry, but "Life" sorta got in the way recently. However, I'm updating this info now.
Please, go read his most recent newsletter for yourself to see how he addresses all of our concerns, and questions, about his anti-virus testing results. You'll be glad you did!
Which Anti-Spyware Programs Delete Which Cookies? by Ben Edelman in association with Vinny Lingham and Clicks2Customers - I've always been puzzled by the divergent attitudes of anti-spyware programs towards advertising cookies. Some anti-spyware programs take their criticism to the extreme, with terms like "spy cookies" and serious overstatements of the alleged harm from cookies. Others ignore cookies altogether. In between are some interesting alternatives -- like ignoring cookies by default (but with optional detection), giving users an easy way to hide cookie detections, and flagging cookies as "low risk" detections.
...SNIP...
Earlier this summer, Vinny Lingham and Clicks2Customers asked me to test the current state of cookie detections by major anti-spyware programs. They had noticed that for those anti-spyware programs that detect cookies, not all cookies are equally affected. Which cookies are most affected? By which anti-spyware programs? I ran tests to see -- forming a suite of cookies, then scanning them with the leading anti-spyware programs.
Vinny is generously letting me share my results with others who are interested. The details: Cookies Detected by Anti-Spyware Programs: The Current Status.*
Spyware Weekly Newsletter - Sept 6, 2006
Spyware Weekly Newsletter - August 29, 2006
I was looking over one of my favorite spyware information web sites and came across Spyware Warrior's Recommended Programs advice and just below their recs is this;
"Moreover, we recommend that you install and use at least two anti-spyware programs because, unfortunately, no single anti-spyware program detects and removes 100 percent of the spyware and adware on the Net. For more information see the anti-spyware testing reported elsewhere on this site."*
And that sorta backs up what I said previously about Brian Livingston's statement that users not install separate programs for different security tasks.
Questions arise on PC World tests By Brian Livingston - A sweeping review of 10 security suites published in a major computer magazine last month featured some very unlikely rankings for this crucial category of products. After examining the evidence, I've found that some material facts were omitted from the article, rendering its ratings useless.
The cover of the July 2006 PC World Magazine promised a review of security suites that would give readers "total protection against spyware, hackers & spam." Inside the magazine, a lengthy article summarized extensive test results by AV-Test.org, a respected antivirus research group based in Magdeburg, Germany. The magazine's product rankings, however, seemed inexplicable.*
Before I get started, I want all of you to know that by my posting any of this info here for discussion does not mean that Brian endorses any of my comments or my web site in any way. This is just my own personal blathering...
And, I want all of y'all to know that I Highly Respect Mr. Livingston for all of the hard work he does for all of us in his newsletters and Online articles! I would not recommend or link to his newsletter or web site if I didn't. And, I would greatly appreciate it if y'all would go read the Whole Article First before you read my comments, so you can form your own opinions about the article before you read my personal blathering. Regardless that I have some "issues" with this article, it is an awesome article that's well worth the time invested to read it, Seriously!!!
So, I'm reading this article and thinking to myself, "Go Brian! Explain to "them" that "turning off" features of a security program while testing it is wrong and won't produce "real world" results!" Nobody I know, Newbies or Geeks, turn off ANY features of a security program to see how well it works. They leave everything turned on. And some of the Geeks even go looking for more "features" to TURN ON, just in case they're not enabled by default!
Then I get to the very end of the article and Brian says, "Many subscribers have asked me whether installing separate programs to handle firewall, virus, spam, and spyware duties wouldn't be superior to installing an integrated security suite. That's certainly true for large enterprises. Corporations with IT staff capable of evaluating these programs will always put together their own layers of protection.
Many home users and small businesses, however, don't have this luxury. They need to run one or two products that they can understand."*
SAY WHAT!!?? Your Own Newsletter Readers are asking for Very Specific Security Advice and you tell them NOT to do what they already KNOW they can and/or should do!!?? I'm sorry, but I just don't understand that Brian. I honestly thought that your newsletter was being published to TEACH your readers HOW to do stuff like this!!?? So far, No One Anti-Malware Program is Capable of Stopping All Types of Malware!! We NEED several different types of anti-malware programs to pro-actively, and possibly-after-the-fact, help us fight malware. Seriously!!
I have been recommending through my own Personal Security Instructions, for several years now, that All Computer Users should be using Several Different Security Programs to cover All of the Various Security Issues "out there" today. The very same programs that I've been, and am currently, using on my own personal computer, along with my Wife's and our two Son's computers, and I have been steering people AWAY from the All-Inclusive-Suites because they either are resource hogs or cause more problems than what they're worth. And, all of the programs I have been, and am currently using and reccing, are all FREE. Well, I take that back, the ones I'm using are free, but I DO recommend several commercial versions of security programs because they are worth the $$ if people feel more comfortable using a commercial program instead of a Freebie.
Now, this is not something I came up with on my own. I learned a LOT of this from making some serious mistakes of my own and from numerous people "in the field" over the least three or four years. And, I'm talking about Professional IT Techs, Professional Security Techs, and many other Geeks in various Tech Fields. These same people have been, and are currently, posting on the Motley Fool's Help With This STUPID Computer forum (...Subscription Required...). I've also garnered a lot of important security related information from various newsletters I have been regularly reading over the past several years. Not one of us, who have been following our own guidelines we provide others with, have been attacked, hacked, or compromised in any way. AND, we're using...*gasp!*...Microsoft Windows (98, Win 2k, and/or Win XP), Internet Explorer, and either Outlook or Outlook Express. So, if we can do this, why can't anyone else? And, I don't mean just us Geeks, I mean the Newbies we help and instruct on a weekly basis!
I will admit that a good portion of the people we help come to us after they've been "compromised" and after we help them "clean up their computer," we also teach them how to pro-actively protect their computer. They rarely ever come back for help a second time.
I truly hope that you'll take my comments as constructive criticism Brian, because I admire and respect all of the hard work you do for all of us, and can only hope that I might get you to thinking about your readers and the advice you're offering them right now. I'm only doing this because I care about the info being shared these days about security and tools needed to keep us secure while Online by Professionals such as yourself.
I am going to solicit comments/opinions from the "experts" I post with daily and will add them as they come in since the TMF boards are a subscription only forum. I'd also feel privileged to add any comments from you, if you're willing to provide them, but I do not have a problem if you'd prefer to use my comments in your newsletter and/or on your web site instead.
And, if anyone else reading this would like to have your own comments added, please feel free to . And, please keep it clean. :-)
Spyware Weekly Newsletter Headlines for both August 8 and August 15, 2006
Is Windows Genuine Advantage Really Spyware?
Matt Hartley comments on recent articles claiming/calling WGA Spyware; Mat says, "Lately I have been struggling with something - Windows Genuine Advantage. There have been a lot of reports and other concerns that this could indeed, be a form of spyware. Speaking for myself, I tend to believe that it is being way over stated.
To be clear, I believe that this form of piracy protection is doing more harm than good, however the fact remains that this is indeed now a part of the Windows world. Unless something was not mentioned in the TOS that Windows comes with (including updates), then I fail to see what the issue is."
...SNIP...
"To me, WGA presents more of a policeware trait set than something that I would consider spyware. Yes, they both have the ability to gather and then send data back to their servers, however I feel that spyware maintains the role of actually collecting data with a goal of using this for monetary gain. WGA is just a pain, not a tool to collect money."*
I gotta admit that I fully agree with his statement that WGA is Policeware, not Spyware. Good work Matt!
Scot Finnie's Most Recent Newsletter offers an excellent wrap-up review of several anti-virus programs, spread over several newsletters this Summer, and I fully believe that his latest article is a MUST READ!
The Right Antivirus, Part V | Best Antivirus of 2006!
However, I have a coupla nits to pick (Sorry Scot, but I just gotta...). I want all of you to know that by my posting any of this info here for discussion does not mean that Scot endorses any of my comments or my web site in any way. This is just my own personal blabbing:
1) Scot said, "AVG has a very small system-resources footprint. It's also highly compatible with other security products."
And I'd like to point out that that's exactly why AVG is one of the best, if not the best, anti-virus programs out there today because it works so well with other security programs. A MUST HAVE FEATURE in my book for any security program...The ability to work well with others. Of course this is just my own personal opinion and has no bearing whatsoever on Scot's reasons for choosing F-Secure over AVG.
2) Scot said, "My focus is on the collective results of all the tests, my extensive research, my personal experience, and the results of real-world usage of people I trust. In the end, if I were to select only one antivirus product to run on my system, the data tell me AVG is a very good choice, but it's not as protective as the two other contenders."
I've been running AVG, the free version, on all four of my computers for several years now and not once has any of them been infected with a virus or Trojan. And, two of those computers are being used by our Teen Sons, who constantly download lots of "stuff" from sites that I wouldn't even begin to trust. If AVG, the free version, can protect them, how can it not be "as protective as the two other contenders?" And, the majority of the Users who participate in the forums on TMF, that I help with, are AVG, the free version, Users. They also swear by AVG. I guess I just don't understand why you think AVG's not "as protective as the two other contenders?" Could y'all please elaborate? Thanks!
And as Scot so clearly pointed out to me by e-mail, "About AVG's defensive capabilities. Let's see, it's been rated down by AV-Comparatives.org and AV-test.org. It went unrated by WCL 2. It passed Virus Bulletin but that's about it. And then there are the real-world experiences of people I know using it to fight actual problems -- as compared to those using other products, including F-Secure and Nod32. When you use all these products and spend a year researching this question, you pick up a lot. I stand by my statements."
Scot has some very valid points there! Even though I've been using AVG on my computers for several years with nary a virus or Trojan problem, he's done some very extensive, hard-core, real-world testing that I have not performed myself. Nor do I have the capabilities or necessary tools to test security programs like he does. :-)
3) Scot said about NOD32, "The short form is that it only performs outbound email scanning with Outlook..." ...SNIP... and then later says "You will survive without outbound email scanning."
Ummm...can y'all please clarify this for us Scot? Thanks!
Ummm, D'OH! Scot has already elaborated in the past newsletters on the importance of an anti-virus program being able to scan outgoing e-mail as part of his requirements and the part I quoted (...now bolded...) clearly states that the outbound scanning feature of AVG ONLY works with Outlook, not Outlook Express, Eudora, etc... My BAD! I wasn't paying close enough attention to what he said. Sorry 'bout that Scot. *blush*
4) Scot said, "F-Secure includes a robust anti-spyware module, so while it doesn't coexist that well with other anti-spyware products, it doesn't need to. (It forces you to uninstall Spy Sweeper during installation, and it will run the uninstall gracefully.) So long as I'm protected, though, this isn't a big problem for me. And I've been in the line of fire with F-Secure, and came through unscathed."
Oh Scot...tsk, tsk. No one anti-spyware product can stop all spyware. Everyone using Windows and IE today should be using more than just one anti-spyware program. Having any kind of security program force me to remove a competitor's product would be a VERY BIG NO-NO! to me. I would never recommend such a product. Of course that's just my worth-less-than-2¢ personal opinion.
OK, I know I praised the article and then hacked at a few of Scot's points, but if y'all will take the time to read the whole article, and the previous articles, I honestly believe you will agree with me that it IS an Excellent Article, and series of articles, because Scot has spent a LOT of time reviewing these products this past year and I truly believe he did a wonderful job!
And, I want all of you to know that I highly respect Scot and the hard work he does for all of us with his newsletters, along with his Senior Editor Cindy, and I wouldn't rec his newsletter, let alone quote him, if I didn't.
And lastly, I also believe that after you Read The Whole Article and/or Series of Articles, you will be able to choose an anti-virus program that will suit your needs perfectly, regardless of whether you may also have a nit or two to pick yourself. Seriously, Read The Whole Article!
Also, in the same newsletter, Scot Finnie Discusses Windows Genuine Advantage: What It Is and How to Remove It.
How Vonage Funds Spyware by Ben Edelman - I ought to be a Vonage enthusiast. I support Vonage's efforts to protect network neutrality. I applaud their flexible voice over IP service and their efforts to compete with incumbent phone companies. I'm even a VoIP customer (albeit using a competitor's service).
But instead of praising Vonage, I have to criticize them -- not for their core business, nor for their customer service (which others have repeatedly criticized), but for their reckless advertising practices. Vonage spends huge amounts on advertising -- more than $20 million per month. Unfortunately, among this spending is widespread and substantial spyware-delivered advertising.
For years, my manual and automated testing have documented Vonage ads appearing in all the major spyware programs. Now that Vonage has completed its IPO -- itself promoted as a way to raise more money to buy more advertising -- this page presents twelve recent examples of Vonage ads appearing in spyware.*
Spyware Showing Unrequested Sexually-Explicit Images by Ben Edelman - Are pop-up ads anything more than an annoyance? For advertisers they can certainly be a bad deal -- particularly when spyware-delivered pop-ups cheat advertisers through PPC click fraud, PPC syndication fraud, affiliate fraud, banner farms, or other improper ways of getting paid. For users, pop-ups in overwhelming quantities may cause substantial harm -- especially because pop-up-delivering spyware reduces computer speed and reliability, and because spyware transmits sensitive user information to remote servers.
But spyware-delivered pop-ups can do more than annoy. They can also offend. Consider spyware that shows sexually-explicit (most would say, pornographic) pop-ups. When such ads appear unrequested, they're likely to be shown to users who don't want to see sexually-explicit material. It's a troubling practice -- but all too common even among "adware" vendors that claim to have reformed. Meanwhile, some old tricks remain -- like pop-ups with their "X" buttons off-screen, making the ads particularly hard to close.*
Spyware Weekly Newsletter - July 25, 2006
SpywareInfo and Mike are back!
Direct Revenue's Dirty Documents - On Tuesday, the New York Attorney General filed suit against notorious spyware vendor Direct Revenue. In a detailed complaint, the NYAG alleged Direct Revenue surreptitiously installed spyware onto users' computers and made its spyware exceptionally difficult to remove. The suit includes claims under New York's General Business Law (prohibiting false advertising and deceptive business practices), New York's Penal Law (prohibiting computer tampering), and New York's common law prohibitions against trespass.
The NYAG's complaint was accompanied by more than a thousand pages of exhibits and appendices. Some of these documents present the results of NYAG's testing -- narratives of misleading and nonconsensual installation, not unlike my own installation tests. But the NYAG also produced a treasure trove of documents: Internal Direct Revenue documents, records, and emails that present their strategy, intentions, and plans in great detail.
I have obtained these additional documents and posted them to a new page: People of the State of New York v. Direct Revenue, LLC - Documents and Analysis.*
The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited - In August 2005, I posted half a dozen examples of what I call "syndication fraud" -- Yahoo placing advertisers' ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo's spyware problems extend beyond mere syndication fraud. Today I post fresh examples where spyware completely fakes a click -- causing Yahoo to charge an advertiser a "pay-per-click" fee, even though no user actually clicked on any pay-per-click link. This is "click fraud."
Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files -- traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: I capture these click fraud examples in videos, screenshots, and packet logs that show exactly what happened, and that prove exactly who's responsible.*
Advertisers Funding Direct Revenue - Despite widespread criticism of Direct Revenue's practices and of adware generally, some well-known companies continue to buy ads from Direct Revenue. I show example Direct Revenue ads from Citi, Netflix, T-Mobile, Travelocity, United, and Vonage, among others.*
Critiquing ITSA's Pro-Adware Policy - These days, few advertisers defend "adware" advertising. But the Interactive Travel Services Association is the rare exception. In policies that have been endorsed by 180solutions but criticized by consumers, ITSA endorses adware under strikingly vague and weak conditions.*
Boycott Starforce - A lot of PC gamers have joined together, and decided not to purchase any PC games that use the Starforce copy protection method. This site is here to provide information about the Starforce protection method, so that you can make your own informed decision.
I will provide a list of games that install the Starforce device drivers, as well as a list of publishers that incorporate Starforce. If you wish to join this boycott, we encourage you to write the publisher, or post on their forum, and let them know.
Starforce is a software copy protection tool installed by PC game publishers, which is designed to prevent the casual copying of retail CDROM applications. It installs as a hidden device driver, without the end-user's knowledge or consent.
Starforce has received criticism for installing its own device driver onto computers. The Starforce drivers are often linked to system instability and computer crashes. If these problems occur, the end-user would be unware as to the cause of the problem, and would be helpless to solve the problem.*
New publicly disclosed vulnerability in Internet Explorer - Hi, It’s Lennart again. Wanted to let you know that today we saw another public posting around a vulnerability in Internet Explorer. This one is different than the crash bug I wrote about earlier. The public posting speaks about createTextRange() and a way that this could be utilized to get code to run when visiting a specially crafted Web page. We’re still investigating, but we have confirmed this vulnerability and I am writing a Microsoft Security Advisory on this. But we wanted to make sure customers knew we were aware of this and we will address it in a security update.
Security Help and Support for Home Users - Microsoft Security Help and Support for the home user is dedicated to help you obtain support for security-related issues such as viruses and security updates.
If you are an IT professional, visit the Security Help and Support for IT Professionals Web page.
No-Charge Support - 1-866-PCSAFETY or 1-866-727-2338 - This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For phone numbers outside of the U.S. and Canada, select your region.
Advertisers Funding 180solutions - I've long believed that the spyware explosion results primarily from advertisers' payments. It's easy to see why advertisers love spyware: Where better to get a customer, than someone who is about to buy from a direct competitor? And spyware-delivered ads are so exceptionally intrusive -- often full-screen pop-ups -- that they're likely to drive sales, even if users dislike the pop-up format.
Spyware advertising also suffers from a race-to-the-bottom effect. Consider a two-party example. If Expedia serves a big pop-up when users visit Orbitz, Expedia is likely to get lots of new customers from Orbitz. What should Orbitz do in response? They could sue, as many companies have. But more likely, they'll just buy more spyware-delivered ads of their own -- and try to grab back some of the users Expedia just took away. This yields high revenue to spyware vendors (in turn yielding more spyware), high costs to advertisers, and annoying popups for users. It's nothing to celebrate.
With this problem in mind, I've written at length about spyware revenue models. My publications page shows a dozen articles on this subject, dating back to my 2003 report of advertisers using Gator (now Claria).
Today, the Center for Democracy and Technology posted a report (PDF) on the spyware advertising problem. Earlier this year, I provided CDT with a number of examples of advertisers still funding 180solutions (despite 180's many known nonconsensual installations and other bad practices). See also my thumbnails of the ads I saw.
CDT's report rightly criticizes advertisers that lack a policy for where their ads can appear. Of course just having a policy may not be enough. Apparently the travel industry has developed such a policy -- yet I still see big travel companies advertising with Claria, Hotbar, and others. And travel companies' partners and affiliates continue to advertise through the most notorious of spyware.* Read the Whole Article Here.
Adware opponents expose offending advertisers - In an effort to cut off funding for questionable adware vendors, the Center for Democracy & Technology (CDT) has published a list of companies that purchase advertising on adware networks.
The CDT claims that companies including Altrec, Club Med Americas, eHarmony, Greetingcards.com, Letstalk.com, NetZero, ProFlower, PeoplePC, PerfectMatch, True.com, uBid and Waterfront Media create an incentive for botnet operators to break into computers.
Spyware researcher Ben Edelman has posted images of the offending advertisements on his website. The list is a sample of advertisers that were found using adware from 180solutions.* Read the Whole Article Here.
Turning Adware into Shameware - A D.C.-based non-profit public interest group is kicking off a multipart campaign designed to spotlight companies who pay to advertise their products via software that is often installed without the user's full knowledge or consent.
The Center for Demoracy and Technology today released the names of nearly a dozen companies who are among the biggest customers of 180solutions, a Bellevue, Wash., adware maker whose storied history with unauthorized installations has been the subject of numerous Security Fix blog posts and other articles.
CDT sent letters to the chief executives of 18 of 180solutions' biggest advertisers, asking if they were aware that pop-up ads for their products were being displayed by the adware. Of those 18, only seven companies bothered to respond, the CDT says.
Among those companies that ignored the letters are some of the more prolific Web advertisers, including online matchmaking companies True.com and PerfectMatch.com; dial-up Internet service providers NetZero and PeoplePC; as well as ProFlowers.com, GreetingCards.com, uBid, LetsTalk.com, Club Med Americas, outfitter Altrec.com and self-help publisher Waterfront Media.*
Newest rogue anti-spyware installs adware from BestOffersNetwork - It’s rare that we find a rogue anti-spyware program that actually installs spyware/adware but yesterday I found this one on Google. Spy-Shield was being advertised with Google AdWords using “Spy Sweeper”.* Read the Whole Article.
Public Warned about Identity Theft E-mail Scam - The Agency has received several reports of an email message being circulated addressed to “Dear Social Security Number And Card owner” and purporting to be from the Social Security Administration. The message informs the reader “that someone illegally is using your Social Security number and assuming your identity” and directs the reader to a website designed to look like Social Security’s Internet website.*
If y'all ever receive an e-mail that "looks" like it came from a trust-worthy organization and it's asking for personal information, DO NOT CLICK ON THE LINKS!!! More likely than not it's a fake e-mail created to steal personal information from you! If you just MUST find out for yourself it something stated in the e-mail is true or not, open a new Browser Window on your own and TYPE in the URL yourself and then visit the site and look for related information. At least that way you won't be re-directed to a fake web site using fake URL's created by scammers.
Nonconsensual 180 Installations Continue, Despite 180's "S3" Screen - On Friday morning (February 17), I received a nonconsensual installation of 180solutions Zango software through a security exploit. I was browsing an ordinary commercial web site, when I got a popup from exitexchange.com (a major US ad network, with headquarters in Portland, Oregon) . The popup sent me to a third-party's web site. (I'll call that third party "X" for convenience. Details.) Then X ran a series of exploits to take control of my test PC, including using the widely-reported WMF exploit uncovered last month. Once X took control of my PC, X caused my computer to install and run 180solutions Zango software, among a dozen other programs. Notably, X fully installed 180's Zango without me taking any action whatsoever -- without me clicking "I agree," "Yes," "Finish," or any other button of any kind. X installed 180's Zango despite 180's new "S3" protections, intended to block these nonconsensual installations.
...SNIP...
180solutions has found and terminated the distributor I described above, which I'm now happy to reveal was crosskirknet.com. But what a road to get there! 180's press release suggests 180 figured this all out within hours of my initial post. I'm convinced that that's false. First, 180 terminated some other bad installer -- only later realizing that the installer I found was someone different. Sunbelt has the details -- how we figured out (and proved) that 180 hadn't cut off this installer when 180 issued the press release saying they had. In a blog post, 180 now admits that we're right and their press release was wrong. (Of course the right response to a false statement in a press release is a correction press release, not a mere blog post. Otherwise, many readers might get the press release, e.g. via the news wire, but never see the blog post.).
180's press release claims that S3 "enabled the company to go back and re-message every user who received its software [from this nonconsensual installer] and provide them a one-click uninstall." 180's blog says the same: "We re-messaged each of [these] installs and provided ... a one-click uninstall of our software." In both documents, 180 writes in the past tense ("enabled", "re-messaged", "provided" ), seemingly indicating that these re-notifications have already occurred. But I have yet to receive any such prompt, despite substantial efforts to seek it out (e.g. by repeatedly restarting my test PC). I've also received many 180solutions ads on my infected test PC, despite 180's claim that it "shut off all advertisements to all installs" from this distributor. So here too, I think 180's statements are off-base. 180 may intend or aspire to provide renotifications, and 180 may intend to shut off ads. But by all indications, 180 hasn't actually done so, at least not yet. I've confirmed my findings with Sunbelt; they haven't seen this re-notification either, and they're still getting ads too.*
CastleCops Newsletter Feb 11, 2006
HijackRemote: Convenience versus Trust - by Ikeb, CastleCops Special Response Team member Feb 5, 2006 - Here are important snippets from the article:
HijackRemote is a malware removal service. We first found out about it when its owner submitted a news item for front page approval. It was never approved, but rather we informed the security community about it. The end result leads to this news article and our stern assessment that the service is not worth it.
HijackRemote is a malware removal service which features increased automation and even includes the ability for helpers to take control of the victim's computer with the advertised intention of providing quick and pain-free debugging assistance.
Based on what we know so far, CastleCops cannot endorse the HijackRemote malware removal methodology. While it is understood that cleaning malware can be a difficult and painful process, HijackRemote could well exacerbate a victim's situation. Not only could the victim be left with a false sense of security that pre-existing malware was removed, but it is possible that even more insidious malware has been put in place. Indeed any valuable information residing on the computer may be directly compromised by allowing the HijackRemote client to be present for an extended period of time! ... while unattended!!
Our advice: All victims of malware infestation should avoid the HijackRemote site.* Please, Read the Whole Article...
Identity Stolen... Now what? by Robin Laudanski Feb 7 2006 - With the increase of the various forms of Malware and Phishing Scams there is also an increased threat of identity theft. Though the ways your personal information is be compromised may be different, one thing remains the same, it is a violation. It is a violation against you, against your family and against the creditors who think it is you they are extending credit to. Today we'll be looking at some of the steps you can take if you think your personal information may have been compromised.* Read the Whole Article...
Spyware: SpyFalcon, a nightmare rebranded - Last time we wrote about a rebrand of SpyAxe called SpywareStrike, this time we alert you to SpyFalcon courtesy of Sunbelt-Software. First, if you think you're infected, read our removal tutorial on the whole SpyAxe issue. And there is an interesting twist... the webhost provider is dishing out the WMF Exploit!*
National Consumer Protection Week - February 5 thru 11, 2006 Consumer Protection? It's the name of the game. National Consumer Protection Week (NCPW) 2006 highlights consumer protection and education efforts around the country. Whether you're investing in a business opportunity, buying or selling on an Internet auction, or looking for a scholarship, a home loan, or that dream vacation, it pays to learn how to shop smart. Because when your money's at stake, you want to hit a grand slam — not a grand scam.* Check out their Consumer Info links.
Spyware Weekly Newsletter - Feb 3, 2006
With major apologies to Mike Healan for not having his permission first to re-print the whole Special Edition Newsletter that he just sent out, but this is extremely important and needs repeating!!
Special Edition of the SpywareInfo Newsletter: Virus Warning - Take Steps Now
The Kama Sutra worm, which has numerous aliases, is set to deliver its first destructive payload TOMORROW (February 3). This worm is believed to have infected anywhere from 200,000 to 700,000 computers worldwide.
The worm is programmed to destroy numerous antivirus program files and Microsoft Office document files, thirty minutes after an infected machine is powered up, on the third day of each month.
Microsoft has included detection for this worm in its Malicious Software Removal Tool. However, Microsoft is withholding that update from all except subscribers of their "Windows Live Safety" and "OneCare" beta services. (*see note below) Microsoft refuses to release the update to the general public, before their regularly scheduled general update, on February 14th. I will have plenty to say about that in tomorrow's newsletter, believe me.
Whether you believe that you are infected or not, you should take precautionary steps now, just in case. Any documents created by Microsoft Office as well as .rar and .zip archives should be backed up and stored on separate, removable storage, such as a CD or DVD. Files and documents of this type will be corrupted beyond repair on infected machines.
Symantec has released a free tool that will remove the virus. Download the tool and run it, even if you are certain that you are not infected. It is a very small file and you have nothing to lose by running it. You don't want to be wrong and lose your boss's spreadsheets, now do you? http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html
If you already have an antivirus program, make certain it is updated and run a full scan of your computer.
*Correction: In a mailing earlier this morning, I mistakenly referred to "Windows Live" and "OneCare" as being paid services. Those are free services. I apologize for that error.*
I downloaded and ran the Symantec W32.Blackmal@mm Removal Tool. I highly suggest that y'all do too!!
Spyware Weekly Newsletter - Jan 27, 2006
Pushing Spyware through Search - Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.
Now, we all love Google. I use Google's search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google's core service. But there's another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don't know any better or don't understand what they're getting into.*
An Update to Spyware Info's Surf The Web In Complete Safety Article - “. . . It is now my official position that using the Browser Appliance is the best and only way for Windows users to remain completely safe on the internet. I will no longer explain how to alter security settings, block massive lists of nasty web sites or how to install a half dozen different programs, all protecting different parts of the system.
I’m not saying that those methods don’t offer some protection or that they shouldn’t be done. I am saying that they are not complete protection. I will no longer give complicated instructions that offer only a little protection, when there is a much easier way to have full immunity.
You can lock your machine down with firewalls, script blockers, antispyware programs, antivirus programs, enormous web site block lists, block all ActiveX and then live in fear of the next 0-day exploit. Or you can install the Browser Appliance and be immune to all web-based malware installers. The choice is your’s to make.”* I downloaded and installed both the VMware Player and Browser Appliance myself and it was easy to setup and run and is well worth checking out for yourself.
Rogue anti-spyware vendor Secure Computer sued by Microsoft and Washington AG - Lawsuits were filed today in the Western Washington US District Court against New York based Secure Computer, naming company president Paul E. Burke, website owner Gary Preston and several of the companies affiliates alleging, among other things, that their application Spyware Cleaner falsely reports spyware on users' computers and the use of aggressive and deceptive marketing techniques to mislead users in order to purchase the software. The Microsoft suit also alleges that the company used email spam and Windows Messenger pop-ups suggesting that the software was sponsored by or endorsed by Microsoft and illegally used name and trademark to frighten users.
Other allegations include that the spyware scan reported normal Windows registry keys as spyware and warned that "every moment the user leaves spyware on their computer the spyware could be doing damage". Spyware Cleaner was found be unable to detect most real spyware in testing. The supposed free scan actually downloaded the program to the user's computer without notice and erased the Hosts file. The Hosts file can be used to block unwanted web sites. The lawsuit named several of the company's affiliates and noted that affiliates could sign up with ClickBank, a large affiliate marketing organization. The affiliates earned 75% of the $49.95 cost of the program on each sale.* (I removed the links to Spyware Cleaner's web site.)
An Update: After Lawsuits, Company Pulls Spyware Cleaner - After being sued by both Microsoft and the Washington state attorney general, Secure Computer has taken a second look at its antispyware product and decided to pull it from the market.
In lawsuits filed earlier this week, Microsoft and the Attorney General had criticized Secure Computer's Spyware Cleaner, saying that it was largely ineffective and actually rendered users' operating systems less secure.
After having a "technologist" review the product, "Secure Computer has confirmed that some of the problems with the software alleged in the lawsuit appear to exist," the company said in a statement released Thursday by its legal firm, Dozier Internet Law PC.
Consequently, the company has now pulled the product from the marketplace until the issues raised by the lawsuits are resolved, the statement said.*
State files spyware lawsuit against New York firm - In a test of Washington's new anti-spyware legislation, state Attorney General Rob McKenna and Microsoft announced a lawsuit today against a New York company that allegedly used misleading e-mail and other questionable online tactics to sell security software.
Secure Computer of White Plains, N.Y., made deals with e-mail advertisers in India, New Hampshire and Portland to sell its "Spyware Cleaner" via unsolicited e-mails, some pretending to be from Microsoft, according to the lawsuit McKenna filed in U.S. District Court in Seattle on Tuesday.
The suit also details how consumers using Google to search for Microsoft anti-spyware products may have ended up at Secure Computer's Web site if they clicked on allegedly misleading ads.
McKenna said the company would also download software onto consumers' computers without consent, change security settings and "deceive you into buying their own product."
"They're very sophisticated in how they push it," he said in an interview Tuesday. "You go to a Web site and you click it and instead of seeing what you want to see, you get a scary-looking notice that your computer may be infected by spyware."
...SNIP...
McKenna said today that his office wants to hear from people who have purchased the program or performed the free computer scan that the Web site offers. Those people should file an online complaint at http://www.atg.wa.gov (Washington State Attorney General's Web Site) or call 1-800-551-4636.*
I just read a post that Eric L. Howes' Web Site is Moving:
Hi All:
My personal web site at the University of Illinois at Urbana-Champaign has moved to SpywareWarrior.com. Please change your bookmarks from...
https://netfiles.uiuc.edu/ehowes/www/
...to...
http://www.spywarewarrior.com/uiuc/
The download page for the IE-SPYAD nad AGNIS block lists has also moved. The new download page is:
http://www.spywarewarrior.com/uiuc/resource.htm
If you have bookmarked other pages at my web site, you will find them in the same relative locations in their new home. In moving my web site, I preserved all directory structures, so for all links to sub-pages you should be able to replace...
https://netfiles.uiuc.edu/ehowes/www/
...with...
http://www.spywarewarrior.com/uiuc/
...and find that the new link works. If you do discover broken internal site links or other obsolete internal references within the new site at SpywareWarrior.com, feel free to email me at:
eburger68@myrealbox.com
Currently at the old site there are manual redirect pages in all the most popular locations announcing the move. I'm not sure how long those manual redirect/announcement pages will stay in place at UIUC, so please spread the word of this web site relocation to friends, acquaintances, and other online communities that might take an interest in the privacy and security content of the site.
If you have questions about anything related to this announcement, please don't hesitate to ask.
Best,
Eric L. Howes*
And it looks like the old pages have already been removed. Please update your bookmarks now and help spread the word so people can find his new web site!!
StopBadware.org is a "Neighborhood Watch" campaign aimed at fighting badware. We will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware.
Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute are leading this initiative with the support of several prominent tech companies, including Google, Lenovo, and Sun Microsystems. Consumer Reports WebWatch is serving as an unpaid special advisor.
John Palfrey, Executive Director of the Berkman Center and Harvard Clinical Professor of Law, and Jonathan Zittrain, Harvard Law Visiting Professor and Professor of Internet Governance and Regulation at Oxford University, are StopBadware.org co-directors. Supporting them are an advisory board and working group made up of some of the top experts in the field, including Internet pioneers Esther Dyson and Vint Cerf.* I'm excited to see that Eric L. Howes is part of their working group!
Urgent Alert Raised for 'Blackworm' D-Day (Snippets from the article):
*************
A high-powered group of security volunteers are raising an "urgent alert" for a potentially destructive e-mail worm crawling through inboxes, warning that the worm's payload is capable of completely destroying important documents on an infected machine.
The worm, which uses the lure of sexually explicit Kama Sutra photographs to trick e-mail users into executing an attachment, is programmed to deliver the destructive payload on the third day of every month.
...snip...
At 5:00 p.m. on Jan 24, more than 700,000 computers had already been infected by the worm, according to a stats counter used by the worm author. Finnish anti-virus vendor F-Secure, said the worm accounts for more than 17 percent of all virus infections in the last 24 hours.
Adding to the confusion is the fact that anti-virus vendors are all using different names to identify the worm. In addition to Kama Sutra, the worm has been named Blackworm, Blackmal, MyWife and Nyxem.
...snip...
Once the worm's UPDATE.EXE file is run, it destroys all Microsoft Word, Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.
"It's a rather destructive payload. You're looking at probably several hundred thousand users that would have data loss—and pretty serious data loss at that," said Alex Eckelberry, president of anti-virus vendor Sunbelt Software.
In an interview with eWEEK, Eckelberry said the post-infection clean-up is made difficult because of the way the worm disables all anti-virus programs.
"When it destroys the data, there's no going to the recycle bin to get it back. It destructively destroys the data," Eckelberry stressed.*
Read the whole article...http://www.eweek.com/article2/0,1895,1915070,00.asp
*************
Better yet, go Update Your AV Program Now and Keep Updating it Daily as more variations are sure to come soon.
Spyware Weekly Newsletter - Jan 17, 2006
Renowned spyware researcher Eric Howes joins Sunbelt Software - “Worcester, UK, 16th January 2005 Sunbelt System Software, the leading provider of Windows system administration tools and enterprise security solutions, today announces the appointment of renowned security expert, Eric Howes, to the position of director of malware research. In his new role, Eric will be responsible for spearheading Sunbelt¹s threat research initiatives and manage the talented efforts of Sunbelt¹s threat research team. He will be based at Sunbelt¹s office in Tampa Bay, Florida.”*
I think this is awesome news! Eric L. Howes is a renowned Spyware Researcher and I've been using his site for a little over a year now. However, he has sooo much info on his site that I didn't realize, until today, that he was also at the FTC Spyware Workshop that I attended on April 19, 2004. If you want to read more about that workshop you Must Visit His Site...LOTS of interesting info!!
Affiliate Hall of Shame by Ben Edelman - After several years of watching affiliate marketing, I have low expectations for this channel. I've seen countless examples of "rogue" affiliates cheating their "partner" merchants. And I've seen plenty of underhanded practices from merchants too.
But popular wisdom says most of the cheaters are small. The big guys have too much to lose by getting caught. So we can trust them to behave. Or can we?* Read more...
Spyware Alert: WinFixer Almost Tricked Us - Find out about the insidious spyware that forced one of us to spend Christmas cleaning up an in-law's PC. Argh.
While doing maintenance on a spyware-infested system that we use for testing, I noticed the popup window shown here. The spyware installed on this particular system spews an unending stream of unwanted popup windows, perhaps one every minute, and a goodly portion of them are fake security products. But this one stood out because it looked so very perfect, and because one of our discussion forum members reported difficulty removing the WinFixer program in December.*
Oh, dear. We're just getting over the Sony DRM rootkit ruckus and now we have a security company hiding software components from Windows APIs with rootkit technology. News.com reports that Symantec Corp.'s spokesperson admitted to using this rootkit type feature in Norton SystemWorks to hide a directory so customers wouldn't accidentally delete files. The problem was it could also provide a convenient hiding place for attackers to place malicious files. Due to the vulnerability, Symantec has issued an update for SystemWorks and is "strongly recommending" users update the software immediately.* Read more...
When NProtect was first released, Symantec said hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, the company said it has re-evaluated the value of hiding this directory.* Read more...
180's Newest Installation Practices - by Ben Edelman - 180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn't expect to receive such software -- including web sites that substantially cater to kids.* Read more...
MS has finally released a patch for the WMF Metafile Format flaw. Please visit Windows Update and update your computer now!!
And, here's my personal instructions on how to do this:
First, un-install the un-official patch;
Start - Control Panel - Add/Remove Programs - scroll down to "Windows WMF Metafile Vulnerability Hotfix 1.x" and click Remove - Yes - and Yes to restart.
Second, re-register the DLL;
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 shimgvw.dll" to enable. (Without the quotes!)
4. Click OK when the change dialog appears.
Third, THEN update!
However, please note that SANS is recommending installing the Official MS Patch before un-installing the Un-official Patch. I'm not sure it matters either way AS LONG AS you do indeed install the Official Patch BEFORE you do any more Surfing, Downloading or opening any new E-mail.
There is now an un-official patch for this flaw. If Mike, http://www2.spywareinfo.com/2006/01/01/4499, and SANS, http://isc.sans.org//diary.php?storyid=996, are willing to rec this patch, then so am I...actually, just like they are, I insist y'all install this temporary patch!!
Security experts are urging Windows users to apply a non-Microsoft-issued software patch to fix an extremely dangerous bug that has exposed hundreds of millions of the operating system's users to spyware and viruses.
The patch was developed by computer programmer Ilfak Guilfanov, perhaps best known in security circles at the creator of the open source IDA Pro disassembly tool used to design and deconstruct software and even malware.
Tom Liston, an Internet security consultant with Washington-based Intelguardians and an incident handler with the SANS Internet Storm Center, pleaded with Microsoft users to feel at ease installing the patch, which he said SANS had reverse-engineered, reviewed and vetted to ensure it fixes the problem and does nothing else.*
However, there is one caveat;
One final note (thanks Alex): It appears that this patch from Guilfanov doesn't work on Windows 98 and ME. Security Fix readers using those operating systems should make sure they're running current anti-virus software and take the following steps (this isn't a panacea, but it's the best thing going right now):
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable. (Without the quotes)
4. Click ok when the change dialog appears.*
Now, those of y'all who know me should know by now I don't usually rec something I don't trust, and I usually try these "things" first myself before reccing. So, in that mind-frame:
I updated Spybot S&D and Spyware Blaster (AVG had already updated just before I saw this article.) and neither one of them "complained" when I downloaded and installed this temporary patch.
I also ran Spybot S&D after installing and nothing came up.
I then unregistered shimgvw.dll.
I have not had a problem viewing pics on my computer or Online after installing this patch and unresitering shimgvw.dll.
I can not promise you this won't cause any problems for you on your computer, but come on, if SANS is reccing this...
Please, install this patch and unregister shimgvw.dll until an official patch comes out from MS!!!
Bill Ford
with questions or comments about this web site.
|