As I mentioned on the news page last week I'd compared McAfee Site Advisor (MSA) with another site checking add-on Web of Trust (WoT) by searching for "free screensaver" with Google and found that
MSA was mistakenly marking dangerous websites as safe. I've now done a more in depth comparison and it appears to me that MSA is being spoofed by several
malware hosting sites.
Both add-ons do essentially the same thing and display idicators next to search results indicating if they are safe (green), care is needed (yellow), dangerous
(red) or haven't been checked yet (grey). Hovering over the indicator will display more detail, not much in the case of WoT, while MSA offers a mini
report. With both, clicking on the indicator opens a detailed report.
On the first check I was surprised that the top result was marked safe by MSA but unsafe by WoT, what was even more surprising was it was being marked safe
even though MSA analysis page showed the website hosting several examples of malware. I went through a few pages of Google results and found one other example
of this (never the reverse, WoT didn't mark as safe something MSA mark dangerous) but it was when I checked the sponsored links that appear to the right of
the results that things got really interesting. Of the first four all but one was marked safe by MSA but dangerous by WoT and they all employed the same trick
to fool Google/MSA, clicking to go to the analysis page leads to that of a different website. Here is a screenshot of the pop-up that appears when the cursor
is hovered over the indicator:
Notice how the third line down on the pop-up doesn't match the name of the website (both are highlighted in red). The one on the pop-up is where clicking
leads you, if you check the real website on MSA it shows the same risks that WoT does. Also notice how it says "no downloads tested," which is true
of the site advise the pop-up leads to but not that of the website in the search result.
This trick appears to be a deliberate feature of MSA in Google because it's employed by legitimate websites to, here for example is the pop-up for
Kit-Kat's promotional site (atdmt.com is web marketing business):
Below are the results of the first checks, with the website in the middle and the add-ons' analysis pages either side, where MSA has been spoofed and
links to the wrong page I've listed both pages. TinyUrl and shrunklink have been used to reduce long links. Don't visit any of the websites listed down
the middle!
|
McAfee Site Advisor |
Website |
Web of Trust |
|
|
Search results |
|
|
Top search result, MSA marks as safe even though it's analysis link (AL) shows malware. |
||
|
|
Paid for ads |
|
|
(matchcraft.com)
(popularscreensavers.com) |
Google top right hand ad, MSA marks as safe but the AL goes to wrong page, the correct page marks it as unsafe |
|
|
(traffz.com) (millionscreensaver.com) |
MSA AL goes wrong page, correct page show it safe even though it links to mostly untested sites and one distributing malware |
|
|
http://www.siteadvisor.com/sites/lynxtrack.com
|
Another MSA page spoof, real AL shows 45 instances of malware hosted by site plus dangerous links |
