This week Trend Micro joined the party by announcing TrendProtect, a safe-surfing tool similar to McAfee SiteAdvisor. Developer Symantec has yet to announce a similar standalone safe-surfing tool. CNET Reviews recently compared a handful of safe-surfing tools, both free and paid.
The short-term result is you unknowingly visit a compromised site and come away with a backdoor Trojan horse installed on your desktop. The long-term result is that these vandals undermine our mutual trust of the Web.
Safe-surfing tools are excellent for identifying bogus banking or e-commerce sites before they load in your Internet browser. Using a complicated algorithm that measures such criteria as the validity of the domain name registration, suspiciously long URLs, foreign characters in the URL, and misspellings within the displayed page, these tools rate Web sites as either safe (green icon), suspicious (yellow icon), or dangerous (red icon) and most overlay those ratings over your search engine results.
This is a potentially huge problem; phishers are attacking sites in the green zones, sites rated as safe by many safe-surfing tools.
In a statement to CNET, Google said the Blogger.com example sites cited by Fortinet appear to be "deliberately set up to promote phishing, which is against our terms of service." Indeed, in reviewing one example, a Honda CR 450 blog site, we identified numerous red flags. First, the content of the blog was incomprehensible gibberish, designed more to boost the page's search engine optimization scores on search results pages than to be read by a human being. Second, the blog was created within the last few days and not updated, nor is there much information about the person who created the page. None of these facts alone are damning, but casual or even accidental visitors to the blog could find themselves infected with a remote access Trojan horse. Google said that it is investigating these pages and concluded that "blogs found to include malicious code or promote phishing will be deleted." The Honda CR 450 blog site has been deleted.
It gets worse
But spotting a bogus blog is perhaps somewhat easier than spotting a recently compromised Web site. This week the security vendor WebSense reported on a new phishing scam in which an e-mail, in German, contained a link to a security vendor site in South Korea. So far it's a pretty traditional phishing scam, except the linked site is legitimate. CNET viewed the page with Netcraft Toolbar and SiteAdvisor enabled, and neither displayed warnings as the page loaded. But when we viewed the source code for the South Korean security vendor site, we found an iframe toward the bottom of the code that calls out for content hosted on a server in Hong Kong (now disabled). According to WebSense, the malicious content might have allowed a criminal hacker to remotely access our PC.
Almost all of the exploit code identified this week used exploits for a vulnerability already patched by Microsoft in MS05-014. Apparently the phishers are going after users with lax security on their PCs. If you've been diligently patching your computer with the latest Microsoft updates, then you should be fine should you happen upon a recently compromised site. The problem is if you happen upon one site that's been infected with an exploit for an unpatched vulnerability.
We've seen only one safe-surfing tool, EPL Linkscanner Pro, that can ferret out recently added malicious content. But the free version of Linkscanner only works on Internet Explorer, and the paid Pro version doesn't do a good job of reporting obvious phishing pages (you know, the PayPal and Bank of America knockoffs). So, for the time being, you're stuck having to use SiteAdvisor, Netcraft Toolbar, or the new TrendSecure TrendProtect to find the bogus phishing sites, in addition to using Linkscanner Pro to find the malicious sites. Not a great solution, but it's about the only solution for now. Do you worry about tripping over malicious code on "safe sites"? Should you? TalkBack to me.