November 06, 2006

SiteAdvisor Plus: Adding Teeth to the Web’s Most Popular Safe Search Tool

Posted by Shane Keats at 09:19 AM

We have some big news to share today. McAfee is launching an enhanced, premium version of our safe search tool called SiteAdvisor Plus.

SiteAdvisor Plus extends and enhances our core safe search and safe surfing functionality in three ways: by adding link checking to instant messages and e-mail, by adding a protected mode that shields PCs from interacting with risky sites, and by adding real-time anti-phishing protection.

What’s New

Link Checker: McAfee SiteAdvisor Plus checks links embedded in e-mail and instant messages, warning consumers before they make a bad click decision. Worldwide, more than 170 billion e-mails and more than 14 billion instant messages are sent per day. In today’s world of drive-by attacks, during which a single click can ruin a computer, it’s important for consumers to know in advance whether a link contained in an e-mail or IM is safe or not.


McAfee SiteAdvisor Plus supports a broad range of instant messaging and e-mail platforms including Yahoo! Messenger (Y!M), Windows Live Messenger (MSM), Google Talk, Outlook, Outlook Express, Yahoo! Mail and Microsoft Live Mail (Hotmail), and Gmail. Support for AOL Instant Messenger (AIM) and AOL Mail is under development.

Protected Mode: Protected Mode enforces SiteAdvisor’s safety ratings by redirecting consumers to a safe page anytime their computer is about to interact with a risky site, whether through searching, browsing, instant messaging or e-mailing. This feature provides critical protection for heavy Internet users, households that share computers with younger or less Web-savvy users, or anyone who desires “load and go” protection. Protected Mode is password protected, enabling parents or other computer administrators to control this feature.

spacer Protected Mode grays out risky results

Advanced Phishing/Scam Detection: McAfee SiteAdvisor Plus combines advanced, real-time “phishing” detection with its one-of-a-kind site database to detect and provide early warnings against scam sites that can compromise consumers’ identities and ruin their computers. This is a critical benefit, since scam and phishing sites now use increasingly sophisticated technology and social engineering tactics to fool even the most savvy consumers.

spacer Real-time anti-phishing uses SiteAdvisor's white list to improve accuracy

How Much Does It Cost?

SiteAdvisor Plus offers a household pack (for 3 computers) for $49.99 and a 1-user option for $24.99. Both subscriptions are good for a year and include all the new features.

Where Can You Buy It?

SiteAdvisor Plus is available on the McAfee site starting Tuesday, November 7.

What’s Next for SiteAdvisor Plus?

Adding link checking support for AIM is a top short-term priority. Integration with the AIM client presents some significant engineering challenges and we felt it was better to offer instant messaging protection now to the tens of millions of consumers who use other popular instant messaging clients rather than wait.

Also a top priority: support for Firefox. Again, we made the call that it was better to offer SiteAdvisor Plus to our many Internet Explorer users who can benefit from added protection now.

What’s Staying the Same

SiteAdvisor’s basic version will remain free and will keep the same features it currently has. Our commitment to accuracy will continue as will our transparency about our test results. More than 250 million times per day, McAfee customers ask for our site ratings to help them make better Web safety decisions. We’ve worked hard to earn that trust and reliance and will continue to work to make it safer to search, browse and transact on the Web.

Permalink | Comments (3) | TrackBacks (0)

October 31, 2006

A Halloween Screensaver That Will Make Your Skin Crawl

Posted by Jonathan Cohen at 04:34 PM

To commemorate Halloween and promote Web safety, SiteAdvisor highlights a spooky download alert for the season. Out of all the scary Web safety threats that haunt the Internet’s creepiest corners, “Happy Halloween Animated Screensaver” earns a dishonorable 10 out of 10 on the SiteAdvisor nuisance meter.

This screensaver is hosted at (SA Report Page), which SiteAdvisor’s tests showed to have 2131 red downloads as of October 31st. If little Timmy instinctively clicked “Yes” or “Install” at every installation prompt, your computer would be overwhelmed by potentially unwanted programs.

What does an install sequence for a “10 out of 10” Web threat nuisance look like?

This screensaver came packed with nine bundled, unrelated programs:

1. Dealio
2. with Quick! browse search assistant
3. WhenU SaveNow (twice)
4. RelevantKnowledge
5. MyWay Home Page Switch
6. Scenic News Messenger
7. Mystery e-mail submission
8. FileSubmit
9. Popular Screensavers Toolbar

We’ll highlight just a few of these to give you the idea, but they carry a similar theme: lots of fine print that gives publishers permission to serve ads based on browser activity.

One of the bundled programs that comes with the Happy Halloween Animated Screensaver is called RelevantKnowledge. This program displays survey questions about user shopping habits and records information like online purchases. It also allows “passively-tracked” online browsing behavior to be sent to ComScore Networks for “market research.” Pretty scary stuff.

RelevantKnowledge install prompt.

Once you complete the “Happy Halloween Animated Screensaver” installation, Internet Explorer opens a MyWay home page switch window. This post-install sequence then asks the user to install three more potentially unwanted programs. That’s three bonus annoyances for the price of one!

MyWay homepage switch prompt.

Here’s another sequence in the install which especially caught our attention. This window – which requests a first name, last name, and an e-mail address – doesn’t reveal where the information will be sent. Can you imagine answering such questions to a complete stranger who stopped you on the street? We recommend you never submit your personal information to any prompt that does not indicate the recipient and how the information will be used.

Name and e-mail submission prompt.

With 9 bundled programs and lots of scary, mysterious corners, clearly the “Happy Halloween Animated Screensaver” will leave several ghosts behind long after Halloween.

This particular screensaver is not an isolated case, though. Screensavers are infamous for the installation of potentially unwanted programs, and Halloween screensavers seem to be particular culprits. See this screenshot of a Google search (from October 30th, 2006) for the search term “Halloween Screensaver” (minus quotes)

An overwhelming majority of the organic search results for Halloween Screensaver are rated red by SiteAdvisor.

The SiteAdvisor team hopes you have a safe and fun Halloween. Install our free toolbar, and we’ll help you avoid the Internet’s tricks so you can enjoy its treats.

Permalink | Comments (1) | TrackBacks (0)

October 16, 2006

Free (Asterisk) Credit Reports

Posted by Jonathan Cohen at 01:32 PM

Stop, Identity Thief!

We’ve all seen the bad guys take advantage of the allure of “free” products on the Web. From “free iPods”, to “free downloads”, the Web is full of deceptive come-on’s. Even the government is susceptible. A well-intentioned law to help consumers understand their credit history is in danger of being overwhelmed by scammers.

In 2003, the United States passed the Fair Credit Reporting Act (FCRA), making it easier for consumers to keep tabs on their credit histories. The FCRA requires the three major nationwide consumer reporting companies (Experian, TransUnion, and Equifax) to provide a free credit report, once a year, to anyone who asks.

Credit histories are snapshots in time. By contrast, credit monitoring alerts a consumer of credit changes in near-real time. Government experts say that credit monitoring is one of the best ways to defeat an initially-successful identity theft. It’s an early warning system. Sadly, 85% of the 9+ million people who become victims of identity theft don’t find out they’ve been victimized until they apply for credit. By then, the damage is done: Recovering from a successful theft of one’s identity reportedly can take hundreds of hours.

The FCRA required the three credit reporting agencies to create, the only official site where consumers can request a truly free credit report with no strings attached.

We discovered sketchy behavior at a few of the sites that offer "free" credit reports. These sites don't acknowledge truly free credit reports at and automatically bill users if they don't cancel trial memberships.


Google “free credit report” and is the top organic, non-sponsored link. It’s humble. Nothing in the headline about being “free” or official. But it's surrounded by a sea of advertisers who are much less modest.


The official free credit report site is overwhelmed by other, more sensational Web sites.

We estimate that consumers make approximately 1,270,000 million searches every month for “free credit report” and similar terms (based on Yahoo’s 28.8% search market share in July 2006 and 365417 related searches logged by their inventory tool). is a frequent advertiser for these keywords. The site promises users a free credit report and credit score if the user fills out what appears to be a short registration form. Scroll down below the fold and you’ll find a disclaimer in tiny print.

By ordering a free credit report, you will automatically be enrolled in a 30 day free trial of credit monitoring. You will receive instant notifications of changes to your credit report. You will be billed $9.95 for each month that you continue your membership if you do not cancel your membership within the 30 day trial period.

This is precisely the kind of tactic the FTC warns about:

Other websites that claim to offer “free credit reports,” “free credit scores,” or “free credit monitoring” are not part of the legally mandated free annual credit report program. In some cases, the “free” product comes with strings attached. For example, some sites sign you up for a supposedly “free” service that converts to one you have to pay for after a trial period. If you don’t cancel during the trial period, you may be unwittingly agreeing to let the company start charging fees to your credit card.

This sign up results in automatic enrollment in a free trial membership for credit monitoring. After the seven day trial, consumers are charged $19.95 every month.

This site claims to give a 30 day trial before they start charging a consumer’s credit card $9.95 per month, a fact disclosed in fine print, at the bottom of a screen, two clicks and one entire top level domain removed.

spacer redirects users to The order page does not mention any specific fees.

Fees are disclosed in tiny print two screens and one Web site prior to sign up.

On Alert

Some sites count on quick typing, or quick clicking, to get users to their pages. offers a prominent disclaimer that it is not the official site, but you can bet that plenty of users click through to their advertised offers to make them money.

Some free credit report sites have awkward URLs to take advantage of address bar typos.

The FTC sued an individual “free credit report” Web site,, Inc. The defendant was found liable of deceptive marketing and forced to surrender nearly one million U.S. dollars. The settlement requires, Inc. to “pay redress to deceived consumers, bars deceptive and misleading claims about “free offers”, requires disclosure of terms and conditions of any “free” offers, and requires the defendant to give up $950,000 in ill-gotten gains”. We applaud the government’s action, but there's a glut of scammy Web sites pushing similar scams that are still unchallenged.

Take Action Now

Spyware researcher and SiteAdvisor Advisor Ben Edelman recently critiqued the use of “free” offers in Google Adwords, noting how often the offers violate Federal Trade Commission rules and Google’s own guidelines. Sadly, a well-intentioned law like the one establishing is at risk of being overwhelmed by unscrupulous advertisers who profit from consumer ignorance.

As a modus operandi for avoiding online scams, we recommend caution whenever clicking on an advertisement that promises a service or product for “FREE*!” And as part of a comprehensive plan to help prevent or limit the effects of identity theft, use

Permalink | Comments (1) | TrackBacks (0)

September 28, 2006

We don’t do anti-phishing

Posted by Shane Keats at 06:48 PM


Microsoft commissioned a study that hit the wires today, ranking a number of well-known, popular anti-phishing toolbars. And SiteAdvisor.

Despite the fact that we're not an anti-phishing toolbar, despite the fact that we explictly say we don't offer phishing protection, SiteAdvisor was included in the study. Guess what happened.

We lost.

Of the 200 test sites, we got 3 right. Netscape 8.1, the next closest "competitor" to SiteAdvisor, got 56 correct. Microsoft's IE7 beat the popular Netcraft by a whisker, 172 to 168.

A score 18 times worse than the next nearest competitor should have been a clue to the study's authors that something was wrong. Oh well. We suppose the study needed some comic relief to take away from the fact that a study that finds its paid sponsor to be the best at something is more of an ad than a study.

A score of 1.5% correct would indeed be shockingly bad, if, in fact, we tested sites for phishing. But we don’t. There are a couple of places on our site where we make that clear. On our support pages, we've answered "Does SiteAdvisor offer 'phishing' protection?" nearly 2,000 times, each time the same way:

SiteAdvisor's software does not currently provide automated or real-time phishing detection.

On a July 28 blog entry about an American Express related phish attack, we said it again:

A quick note. We wanted to remind readers that McAfee's SiteAdvisor plug-in warns users about a wide range of site-based threats including spyware, spam and exploits, but for anti-phishing and more complete threat protection, readers should look at our award winning security suites.

Comparing SiteAdvisor's anti-phishing efficacy with Netcraft's or IE7's is like comparing our restaurant ratings to Zagat's. Or comparing IE7's (non-existent) spam, spyware, exploit, link practice, and pop-up analysis with McAfee SiteAdvisor's.

That's part of the point. SiteAdvisor has focused on these kinds of analyses because no one else has. By contrast, there is a lot of good anti-phishing software on the market today. Oddly enough, the study didn’t bother to test McAfee's actual anti-phishing tools, included in our Internet Security and Total Protection Suites.

For the record: SiteAdvisor doesn't include anti-phishing protection. If and when it does, we promise it will be great, and that we'll let you know about it.

Permalink | Comments (10) | TrackBacks (0)

September 26, 2006

Intuition Not Enough to Spot “Spammy” Sites

Posted by Hannah Rosenbaum at 09:40 AM

Watch out for your inbox! The results of the McAfee SiteAdvisor Spam Quiz reveal that users are unable to distinguish between safe sites and sites that sent our robots spam. Last month McAfee SiteAdvisor issued a challenge to users: Can you spot Web sites that cause spam? Over 7,000 users have taken the quiz and the results are alarming. The decisions of the average quiz taker would have led to the receipt of over 1,000 e-mails per week.

If you haven't yet tested your spam detection skills, you may want to take the Spam Quiz now before reading on.


• The average score was 55%. The average quiz taker got 3 to 4 out of 8 questions wrong. The average user's decisions could lead to 1,000 e-mails per week. If the user got the 3 "worst" sites wrong, he could receive as much as 2,000 pieces of e-mail per week.
• 97% of quiz takes got at least one question wrong. Even just one e-mail submission to an unsafe site can cause an inbox to become inundated with spam. When we submitted our e-mail address to spammy e-card site, for example, we received 1,075 e-mails per week as a result.



Business models and brand names

Users performed the worst on the online dating and credit card categories. Only 40% of quiz takers correctly selected rather than as the dating site that respects e-mail privacy. Some quiz takers were probably skeptical of's free membership. They may have tried to intuit the site's business model, perhaps concluding that the only way the site could make money was to sell customer e-mail addresses. But our inbox of only 1 e-mail per week supports their privacy policy statement that they do not share personal information with third parties.

The poor performance on the credit card question could have been due to the use of the word "Visa" in Users might have assumed that the use of the word Visa signaled that it was a safe site or sanctioned by the brand. Users' decisions may also have been impacted by the streamlined design of the Web site. Surveys have found that the design of a Web site influences user behavior relating to privacy. Only 44% of quiz takers correctly selected as the safe site in this category.

Do the homework

Users performed the best evaluating the games and scholarship sites. 68% of quiz takers correctly selected as the safe game site over Significantly, approximately twice as many quiz takers viewed the privacy policies for this question as compared to any other. While time consuming, reading a site's policies can help boost quiz performance and make for safer surfing.

68% of quiz takers correctly selected as the safe scholarship site. Users may have chosen because its homepage appears informational while's homepage promotes a drawing to win a free $10K scholarship, which users may have perceived as a vehicle to obtain e-mail addresses.

Who's to Blame?

The debate about personal responsibility and Web safety usually starts with "read the privacy policy" but the policies are often long and densely written with legal terminology. One study of privacy policy readability found that 54% of privacy policies require a reading comprehension level equivalent to more than 14 years of education and 13% require the equivalent of a postgraduate education. When PC World writer Narasu Rebbapragada took our spam quiz, she read the sites' privacy policies, but admits that she "couldn't always differentiate between language that allowed spam from the language that didn't." Most people don't bother to read them: surveys show that 50% of users never or rarely read privacy policies. In our quiz, approximately half of users clicked on our links to the sites' privacy policies. But who can blame users for not reading privacy policies if Web sites don't make them easy to understand? Even if privacy policies properly disclose that personally identifiable information might be shared with third parties, the impact is diminished by the fact that many people do not read them or can't understand them.

Our quiz informs users that does not even have a privacy policy, but only 56% of users correctly selected as the safe jokes site. This may imply that some users don't pay much attention to the existence of a privacy policy on a site or they don't regard it as a useful means of evaluating a site's privacy practices.

What about other methods of delivering unsolicted commercial e-mail? More technically savvy users know to create complex e-mail addresses that are better protected against dictionary attacks. But is it reasonable to expect casual Web consumers to know this? Perhaps. What about screen scraping where an e-mail address is harvested after being posted to an unsecure Web site? Short of having access to the server and the skills to test it, consumers simply can't know which sites have taken the appropriate steps to secure themselves.

Time to Let Down Your Guard

Some users responded to this quiz by saying that they would never give out their e-mail address to any of these sites. That's one way to protect your inbox. But we'd like to point out that there are many sites where you can safely submit your e-mail address, so such restrained behavior is not necessary. Other users claim to always use throw-a-way e-mail addresses. That's another preventive measure. But having multiple temporary accounts can be tedious should users decide to check them, and if users never check them, they risk missing some e-mails that may have actually been of interest to them (e.g. relevant newsletters, daily horoscopes or matches from a dating site). Defensive e-mail behavior may be effective, but it would not be necessary if users knew ahead of time which sites will protect their e-mail addresses. With McAfee SiteAdvisor, users can see what happened to our inbox before they decide to submit their own e-mail addresses. We get spammed so they won't have to.

Permalink | Comments (7) | TrackBacks (0)

August 29, 2006

Parental Advisory: Risky Lyrics Sites!

Posted by Hannah Rosenbaum at 10:20 AM

Ranking the Riskiness of MTV Music Video Award Nominees

And the award goes to… Yung Joc and Nitty! The MTV Video Music Awards won't air until August 31, but the results from the McAfee SiteAdvisor "Most Dangerous Lyrics Sites" Survey are already in. So whether or not Yung Joc and Nitty take home one of the coveted "Moon Men" trophies at this year's VMAs, they have already outranked the competition by having the most hazardous lyrics to search for online.

While casting your vote for the best videos and watching the MTV awards show may be a fun and entertaining way to celebrate your favorite musical artists, searching for the lyrics to your favorite songs might leave you in a bit of a funk. (And we're not talking about explicit lyrics content.) With more than 22.3 million searches for lyrics terms being conducted each month (more on this later), this site genre is a prime target for malicious players. Unsafe lyrics sites pose serious dangers: browser exploits, Active X controls that install spyware or adware, excessive pop-ups, and links to other unsafe sites.

The MTV Video Music Awards airs August 31, 2006.

The McAfee SiteAdvisor Most Dangerous Lyrics survey ranks the MTV VMA nominees by the danger of their lyrics searches. After searching Google for each of the nominated artists and songs plus the word "lyrics," we analyzed the safety of the search results using McAfee SiteAdvisor's ratings database of 6.4 million popular Web sites.

The most dangerous lyrics search was for Yung Joc and Nitty's song "It's Goin Down," for which 70% of search results were rated red or yellow by McAfee SiteAdvisor. Christina Aguilera's love profession "Ain't No Other Man," came in second with 60% risky results, earning her the title for Most Dangerous Female Video and Most Dangerous Pop Video. Tied with Aguilera for second place overall, Common's "Testify," and Three 6 Mafia's "Stay Fly" also won for Most Dangerous Hip-Hop Video. On average, 36% of lyrics search results for the nominated songs were links to risky sites and all searches for the nominated songs returned at least one risky site on the first page of results. Green Day's "Wake Me When September Ends" returned the safest lyrics sites with only 10% risky results. Read the full results.

The most dangerous lyrics search was for Yung Joc and Nitty's "It's Goin Down."

SOS (save our systems)

One of the most frequent search result offenders was, which appeared in searches for 22 of the 44 nominated songs. insists that its users install an ActiveX control from Zango – giving users Zango's pop-up ads and a Zango toolbar, as well as sending detailed information to Zango about what users search for and what web sites and pages users visit. The site attempts to justify this download by claiming that Zango allows the site's content to be free. But we think the Zango adware installation is misleading for a few reasons.

* The content at is already available elsewhere for free.
* Accepting Zango may give some users the false impression that money from Zango (and its advertisers) flows through to songwriters, in compensation for reproduction of their lyrics. Zango says "This website is free thanks to Zango … because it's paid for by advertising." But it's just not true: Zango's advertising payments do not flow through to the songwriters who wrote the words on the site. As best we can tell, Anysonglyrics pockets the money it gets from Zango; it doesn't pay that money out to songwriters or music publishers. We're not here to opine on the question of whether Anysonglyrics needs to pay for the lyrics it presents; the music industry says a license is required, and the EFF disagrees. But whatever the answer, Zango's inclusion doesn't help the legality of the Anysonglyrics site.
* Zango's adware and toolbar are completely unrelated to's content and functionality.

spacer requires users to download the Zango Search Assistant.

ActiveX controls are frequent nuisances on lyrics sites. also requires the Zango-bundled ActiveX control to view the site's lyrics. The ActiveX controls that we've found on and were even more noxious. In our tests, these ActiveX control downloads included, ImIServer, IEPlugin, Roings, and istbar. Once users have visited these sites, Rihanna won't be the only one singing "SOS."

What's Left of Me… and My PC

Just as Nick Lachey mourns his marriage in "What's Left of Me," fans of the soulful stud may be singing a sour tune after searching for his lyrics. His lyrics search results included exploit site This site served excessive pop-ups, which on occasion breached browser security on our test PCs. VMA fans run a very high risk of landing on this site: appeared in search results for 70% of the nominated songs, providing ample opportunity for user click through., found in our lyrics search for Shakira and Wyclef Jean's "Hips Don't Lie," also made unauthorized changes to our test PCs. Using a hidden br, attempted security breaches including cursor and WMF vulnerabilities. This allows malicious code to install a trojan downloader onto the system which can then be used to install other unauthorized programs. For these exploit-infested sites, simply browsing can be harmful to your system. Steer clear.

Who's been linking up?

Relationships between Web sites can help boost traffic. They can also make or break a site's safety rating. Lyrics sites are often rated red due to links to other dangerous lyrics and mp3 sites. is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.