SiteTruth – the blog

SiteTruth distributes a list of major domains being exploited by active phishing scams. [sitetruth.com] This is generated by processing PhishTank data, which we do automatically every 3 hours. The SiteTruth system is looking for the identity of the business behind the web site, and forged business identification is a problem.  So we use phishing reports to find forgeries, and take a hard line – one phishing report down-rates the entire domain.  At any given time, there are about 30 to 80 domains on the list.  Rather than being secretive about this, we publish the list, and try to help legitimate site operators to get off it. We do this because we want to reduce the collateral damage from our tough blacklist system.

Some sites get themselves off the list quickly. By now, most of the better free hosting services and short-URL services are automatically checking PhishTank and the APWG blacklist to see when they’ve been hit. Today, if you run a service where anybody can put up a page that could be used for phishing (i.e. it’s not full of your own headers and banners), you need automation to deal with attacks. As an example, “t35.com” has  been hit by a flood of phishing attacks, with several hundred new reports in PhishTank per day. The attacks were coming in faster than the abuse staff could clean them out. They’re now gaining on the problem, but haven’t squashed it yet. Take-away lesson: automate your response to such attacks.

The domains near the top of the list have been there for a while. Note the dates, which are the date that the oldest phishing report still online and active appeared in PhishTank. Some just need help. Typically, these are small businesses, churches, and nonprofits that have had a break-in and were partially taken over by a phishing site. Often, they lack an information technology staff, let alone abuse and security departments. We send them the Anti-Phishing Working Group’s “What To Do if your Site Has Been Hacked”. [antiphishing.org] Sometimes we give them a phone call. They deserve sympathy and help.

Then there are the hard cases. These are sites with no visible contact address, or a clueless abuse department. At the moment, Google Sites and Google Spreadsheets are being used for phishing. Google is new to the free hosting business, and the phishers have discovered some tricks that Google can’t yet handle. While Google puts a “report abuse” link on their site pages, it’s possible to set up a file for downloading on Google Sites, and an HTML page can be served that way [phishtank.com], without Google’s abuse checking. There’s also an exploit of Google Spreadsheets [phishtank.com]. That one is an example of Habbo Hotel phishing. [bbc.co.uk] We’ve reported these to Google several times, but they haven’t been fixed yet.

We’ve been seeing a new type of attack recently – a phishing operation breaks into a shared hosting server and plants phishing pages on multiple domains on a single server. One of these hit one of the mysterious “*.websitewelcome.com” servers, which has “cloaked domain registration” and no useful default web page. These seem to be associated with “ThePlanet.com”, but whether ThePlanet operates them, is providing wholesale hosting, is providing colocation, or is just the upstream connectivity provider is not clear.

Hiding the contact information of a hosting provider is legally unwise. The hosting provider may lose the “safe harbor” protection of the the DMCA. [cornell.edu] The “safe harbor” provision for “Information Residing on Systems or Networks At Direction of Users” only applies if “the service provider has designated an agent to receive notifications of claimed infringement… by making available through its service, including on its website in a location accessible to the public, and by providing to the Copyright Office, substantially the following information: the name, address, phone number, and electronic mail address of the agent.” So when the RIAA or the MPAA come calling, a likely event for a hosting service, they get to go after the hosting provider.

So that’s vulnerability reporting in phishing land.  Our experience is that occasional nagging will keep that list down in the 25 to 50 domain range. If we stop nagging, it creeps up to around 100. When we first started, there were about 175 domains on the list. Reporting vulnerabilities does measurably help.

Our latest statistics on the quality of Google’s advertisers may indicate a slight downward trend. Of 20247 Google AdWords advertiser domains seen in the last 60 days, we see the following ratings.

Most notably, the percentage of sites in the highest category, those where the identity of the business behind the site was verified by a trusted third party, has decreased.

Our sample size has increased substantially, which has some effect on the data. This data comes from users of our AdRater plug-in, and the number of AdRater users has increased substantially in the last month. When we rate an ad for a user, we accumulate data about advertiser behavior. We don’t collect data about what users are doing; just advertisers.

This data includes only ads served by Google’s US-based ad servers.

We will be reporting this data periodically.

Danny Sullivan at SearchEngineLand has written “The Myth of Great Search Engine Results”. He is of the opinion that search engine results are getting “worse”, but he can’t quite say why.  We can.

Google search results are getting worse for hard questions. Google is trying to correct for more user errors. Google used to insist that all the words of the query appear in the result. They’ve backed off on that; you now get some pages that Google considers important even if some words are missing. You can insist that a search word be present by quoting it. It’s easier to get answers to simple questions now, but the user has to do more work on hard ones.

Google also has become much more aggressive about spelling correction. This is a problem when your query has a word that is “close” to a common word. Again, quoting a single word forces an exact match. Google also considers synonyms now.

Most search queries are very dumb. Look at Google Trends to confirm this. That’s where the market is, and that’s what Google is targeting. It’s a reasonable business decision from their perspective.

Search in more adversarial areas, where “search engine optimization” is practiced, have a different set of problems. When a search engine operates perfectly, it makes no money. If Google takes a buyer directly to the seller’s page, Google makes nothing. If Google organic search directs the buyer to a site with Google AdWords, or produces search results sufficiently irrelevant that clicking on a search result ad looks promising, then Google makes money. It’s thus not in Google’s interest that organic search be spam-free.

Which, of course, is what SiteTruth is for – search with less evil.

Google recently fixed their “open redirector” in Google Maps, used by “phishing” sites to make attack URLs appear to be Google URLs.

PhishTank then marked the exploits formerly using it as “off line”, and SiteTruth automatically upgraded Google’s rating from to to .

The number of major sites with security vulnerabilities exploited by phishing attacks has dropped from 171 problem domains in early December 2007 to only 54 domains today. We’ve been talking to PhishTank, the Anti-Phishing Working Group, the press, and some of the vulnerable sites to focus attention on this problem. It’s on its way to being solved.

SiteTruth is currently rating Google as “Site ownership unknown or questionable. — Negative Info”

“google.com” has a negative report in PhishTank this week. A hostile site is exploiting a security hole in Google Maps, an “open redirector”, to give themselves a phony “google.com” web address. This assists the hostile site in evading spam filters and web filters.

Once Google plugs this security hole, PhishTank should notice within a day, and SiteTruth will pick up that information and rerate automatically.

We’ve seen this with a few other major sites. “rds.yahoo.com” is an open redirector, but, confined to a separate domain used only for redirection, it doesn’t open a hole through spam filters and so we don’t downgrade the whole “yahoo.com” domain. AOL uses “r.aol.com” in a similar way, but they also have an exploitable hole in AOLsearch that’s been reported to PhishTank.

Click on any SiteTruth rating icon for a detailed report about how the rating was computed.  If “Negative Info” is reported, click on “Show Details” for a link to the data source which reported trouble.

SiteTruth is a tough, but fair, rating system. Most sites don’t get the top rating. That’s by design and by intent.

If a web site is selling or advertising anything, it must disclose the actual business behind the web site. If you’re selling into California or the European Union, that’s the law. This basic requirement throws out most of the junk sites on the Web.

There are so many phony sites on the Web today that simply flagging “bad sites” is no longer enough. We have to identify the valid ones, and down-rate the others.

That’s just the beginning. We expect businesses to comply with the law. We’ll be checking business licenses, corporate records, and other sources of business legitimacy data. That information is available for most of the developed world; right now, we have it for the US and the United Kingdom.

We’re linking search engine ranking to business legitimacy. We expect that, in time, all major search engines will do that.

At last, on the Web, everyone will know if you’re a dog.