Most Web Users Unable to Spot Spyware

Ben writes "According to a Spyware Quiz conducted by McAfee SiteAdvisor , a staggering 97% of Internet users are just one click away from infecting their PCs with spyware. One interesting conclusion from this study showed that even users with a high "Spyware IQ" have a nearly 100% chance of visiting a dangerous site during 30 days of typical online searching and browsing activity."

Wait...

[cshank4]

That has to be wrong, somehow. A lot of the people I know only go to trusted sites, virus-scan everything, etc etc. It only takes common sense and a slightly focused attention span to keep your machine clean.

And let me guess

[Anonymous Coward]

McAfee will sell me the software to help save me.

100% thing...

[jigjigga]

Well, I wager that even though 100% of these "high IQ" users may visit one of these sites, 99.99% don't become infected by it.

Sorry

[Rick Zeman]

But Mac and Linux users comprise more than 3% of Internet users!

Bad quiz

[samtihen]

The quiz in question has you choose which of two sites, based on screenshots, has spyware. The sites were all for things like screen savers, song lyrics, and free game downloads. That is a terrible, terrible way to judge a users capability to determine if something has spyware.

Sure

[TheRealMindChild]

One interesting conclusion from this study showed that even users with a high "Spyware IQ" have a nearly 100% chance of visiting a dangerous site during 30 days of typical online searching and browsing activity.

Sure, we like to visit places like http://www.cracks.am [cracks.am], who actually write their own spyware. But I am not so sure that qualifies me as ever installing any of their garbage.

Re:Wait...

[topham]

The correct way to look at it is to say that it only takes a split second of distraction to get a machine infected.

Follow the money

[Roachgod]

Clearly the message is to just give up and pay the anti-virus/anti-spyware people a bunch of cash.

The real way to combat this is to hold website owners responsible if they are hosting such malware.

Stupid quiz as usual

[MalleusEBHC]

This is just like a "spot the phishing email" quiz I saw. Just looking at a picture gives you no context. Did you get the link from a reliable source? What OS/browser are you running. (I'm definitely more willing to check out something suspicious in Safari than Internet Explorer.) Are you dumb enough to download and run something from the site.

Re:Bad quiz

[Anonymous Coward]

The quiz in question has you choose which of two sites, based on screenshots, has spyware. The sites were all for things like screen savers, song lyrics, and free game downloads. That is a terrible, terrible way to judge a users capability to determine if something has spyware.

No crap. In some of the screenshots, you can't even see the whole screen, to say the least of not interacting with it. In many of the choices, I wouldn't visit either site.

It's also worth noting that the quiz is by a major commercial anti-spyware company.

I think this is a sales gimmick more than anything else.

Re:Bad quiz

[SocietyoftheFist]

When I saw the first question I laughed out loud. I guess they may be going on the domain name but the quiz is really bad. I took it and got 4 out of 8. I guess you are supposed to go research the sites because there reasonings for answers couldn't be gleaned from the screen shots. Funny, I've never had a virus or spyware on my machine, I don't allow automatic anything, and I failed! What a joke.

This is an idiotic quiz.

[aussersterne]

It contains no technical information or interactivity whatsoever. No status bar information, no ability to view page source, just screen grabs of random web sites.

This is a completely invalid, unsound test, as there is no technical way to determine the presence of malicious software simply by looking at a page as it initially loads in the absence of any ability to interact with it or at the very freaking least scroll up or down or hover a mouse... sheesh...

It's like blindfolding someone and then blaming them for not being able to catch a baseball pitch, facing away from the thrower, with their bare hands. Of course they won't be able to, if you take away every single useful tool for them to accomplish the task.

Flawed quiz

[siwelwerd]

This quiz doesn't measure anything. Where's the option for "Both of these look suspicious and I wouldn't go near either of them"?

Not sure I agree with their methods

[Digital_Quartz]

The quiz (http://www.siteadvisor.com/quizzes/spyware_0306.h tml [siteadvisor.com]) asks questions like "Which of these smiley download sites is safe?" The answer I'd pick is "I don't care which one is safe, I wouldn't ever download something so pointless and high risk to begin with", but that option isn't available.

Re:Flawed quiz

[Smallpond]

It measures two things:

1) How many people will stay interested enough to finish the quiz.

2) Free focus group when article is posted on /.

Re:Bad quiz

[jonnythan]

Ummmmm..... I think that's the point.

You sometimes can't tell what software will have bundled spyware or adware, (especially in such an obviously biased quiz) which is why you're going to need to purchase McAfee's anti-spyware software.

Hello, McFly...

Re:Follow the money

[ScrewMaster]

I dunno if free speech covers theft of information and vandalism, which is what we're really talking about here. They have the right to say anything they want ... whether the First Amendment gives them the right to run arbitrary code on my computer is something else again.

Re:Bad quiz

[PatriceVignon]

So where do I click for the "none of the above" answer? Everyone who downloads screensavers, games, ... or has turned ActiveX on in his browser just deserves to get infected with spyware!
And, what a surprise, the test is run by McAfee, who wants to sell me "protection" against spyware. Protection as in "catches 97% of the spyware that has been out for more than a month" (just made up those numbers). No thanks.

6 of 8 after researching all the sites

[ender-]

I went to each one of the sites before answering. I still missed two of them.

First I missed the lyrics sites. One of them supposedly installs activeX adware. I couldn't tell this since I'm using Firefox in Linux.

Then I missed one of the P2P software sites. I incorrectly decided that Blubster was safe, even after looking through the site. They do mention that they take information given when you fill out a contact form, but I didn't see any mention in the terms of use or privacy policy regarding anything in the software itself.

Of course, I would have never actually downloaded that in the first place. I knew emule was safe though. Yay open source! :) And Kazaa has a long history of being full of crap that's bad for your system. Ugh.

So yeah, I missed 2 of them, but would not have been infected by any of the bad sites. Mostly I just think this quiz is lame.

Re:Bad quiz

[quentin_quayle]

Right. It's more like "Assuming you are going to download an exe of some frivolous applet, and install it as Administrator on Windows, on a whim, which site will you get it from?"

If this applies to you, you've already flunked the real-world test. If they had a third option "I'll get software only when it's important, and then only from sources I've thoroughly researched and have objective reason to trust" - then this quiz would be a public service. As is, it just encourages the proliferation of Windows malware.

Typical Marketing

[Anonymous Coward]

This quiz is supposed to scare people into buy their product, nothing more. No useful statistics can be gleaned from it.
If they wanted to make an accurate assesment they would set people up with a VM with a resonably patch version of windows, and big shiny icons for both IE and firefox and say "Browse the internet for an hour" and see how the machines were affected.

PS: I got a 5 out of 8 on the test, but only because there was no option to say "Why would I be dowloading lyics or smilies in the first place -- these things or more likely to have spyware than pr0n?" That and I guess they want you to trust eMule.

Re:Bad quiz

[rmdir -r *]

Seconded. And while there are some sites that do drive-by downloads if you've got the wrong browser/OS pair, there is essentially no way you can know that ahead of time.

Anyway, look at the `quiz'. It's a collection of screenshots. There is no data you can use except `this site looks too corporate', or `I've heard bad things about kazaa'.

It's not a quiz of your mad spyware spotting skillz, it's a marketing attempt. And did anyone else find it funny that their copy of firefox had the little `update me!' red arrow in the top-left corner? Didn't that go away in the latest version?

They should work on their own security :).

Completely impractical

[EmbeddedJanitor]

... for most www users.

Most www users are not geeks and cannot tell the boundary between their computer and the internet, let alone know how to drive a hosts file etc. Any advice of this form is completely useless to most www users. If the computer says "click on this" they will. Don't expect them to tell the difference between something from MS or the OS and a phishing scheme or other attack.

It is also not reasonable to say that people should know this stuff to use the www. Nonsense! Do you need to know the difference between a knit and purl stich to wear a sweater? Do you need to know what advance and retard are to drive a car? Why the hell should you know what a hosts file is to use the www?

Re:Bad quiz

[Brandybuck]

No, the point is that sites for free screensavers, games, and lyrics are all full of spyware.

It's like saying users can't tell which scraggy whore has the clap, so they should all buy new McAfee Anti-Itch cream so they can keep on screwing scraggy whores with the clap. If you compare users with the clap to users without the clap, you notice a strong correlation to choice of partner.

Dumb quiz

[Bootard]

By analogy, this quiz is the rough equivelent of having people pick from a group of crack-head prostitutes the one without disease, and when they fail, telling them they know nothing about safe sex. Safe sex, like safe browsing, ended before the the first question on the test. There is no safe sex by trying to pick only the disease-free crackhead prostitutes. There is no safe browsing by trying to pick the free smilies site that won't blow your computer up. There is value in mininimizing risk where it's found, but to me, safe browsing and downloading FREE SMILIES!!! from some popup window are mutually exclusive activities. That said, their product does have merit, probably. I just wished it was marketed as what it is: "You're a dumbass, and are going to do dumbass things. Maybe you need a net."

Re:Completely impractical

[wkitchen]

Given that he posted this on Slashdot it's a perfectly practical suggestion for the target audience. I've been using this particular hosts file for a while with great results. I keep it updated on my wife's and daughter's computers as well.

nice design no spyware?

[dindi]

I get the point that when you go to a screensaver site and see 2 menupoints and 4 screensavers, that is suspicious,
but in most cases they seem to tell me, that a simple design vs bling means that the simple design will sell you spyware ....

dunno, i think any download is a potentional spyware, especially the spyware programs (that my wife installed on her mom's computer adter a popup : your computer mught be infected ,,, )
well at home she uses linux so did not get a clue......

ohh that crap also has the important message: all p2p programs are spyware laden....

Re:Wait... IP addresses in links

[citabjockey]

For sites that direct your browser to an IP address URL this hosts file does nothing. (http://123.22.33.44/grabyoubytheshorthairs.php)

Yes, I would say that this is pretty accurrate...

[Cypheros]

i work for a major broadband company (in fact, im working right now), doing technical support. I would say that this is definately true--almost one quarter of the call volume that we get has to do with a user contracting some form of malware, usually spyware. The thing is, most people are too beligerent to realize that they contracted something, thinking instead that their systems are perfectly impenetrable.

-Cypheros [cypheros.com]

A very bad survey.

[Yaztromo]

I took my usual paranoid route. For the first four questions, I didn't select either site (which, as it asks which site you trust, seems to me to implicitly state that I don't trust either site). For the last four sites, I specified that all of them potentially had spyware.

My result? Well, acccording to this "survey" I only scored 3 out of 8, as my not trusting sites which didn't have spyware (as they could find) counted against me, and I distrusted one site which the survey claims has no spyware. So apparantly, because I don't trust ANY of the 8 sites referenced in the survey, I'm "At Risk", and my "...answers would have infected your PC with adware and spyware many times over.".

Uh huh. Not trusting any of the 8 sites is putting me at risk? Spyware and adware many times over? Let's ignore for a moment that I'm running Mac OS X, and that I wouldn't visit any of those sites in the first place, and don't download screensavers, wallpapers, or smilies, but apparantly according to SiteAdvisor my distrust of all their sites puts me at risk.

And that right there is enough to tell you the quality of this so called "survey".

Yaz.

Re:Wait...

[Jerf]

A lot of the people I know only go to trusted sites,...

A sibling to this post points out it only takes a split second of carelessness. This is literally true.

The combination of

1. Internet Explorer and several silent install vulnerabilities (are you sure they're all gone? Is everybody's IE up to date?)
2. The user, and thus IE, running as Administrator (OR any priv. escalation exploit), and
3. bots that register typo-domains en masse

adds up to a situation where a single innocuous typo in your Location bar could trigger a rootkit install.

For this reason, I consider IE mortally dangerous, and until we go for some period of years without seeing a silent install vulnerability, I won't lift this assessment. This has nothing to do with hating Microsoft, and shouldn't be dismissed as such; I think it's a perfectly rational assessment of the situation. I think the only thing stopping more people from seeing it this way is the fact that most people are dependent on Microsoft and simply don't want to see something that means they are going to have to do a lot of work to switch.

I don't think Firefox has had a "silent install" vulnerability yet. Corrections welcome. It's just too darned easy to get infected, and all the anti-virus software, software firewalls, and spyware detection software is just closing the barn door after the animals escaped, especially as the rootkits are passing the point where you can even pretend to remove them without a full re-load of the OS from the bottom. (And it's only a matter of time before the rootkits go back to the old trick of infecting all executables like the viruses of the olden days, so you have to completely rebuild the machine from scratch...)

(I remember there was some changes made to the extension download process to make it harder to mindlessly click through, but I'm not counting that. I would consider a silent extension install to be a silent install vulnerability, because extensions get full access to the machine. The same for an install process that isn't "silent", but isn't able to be stopped short of cutting power to the machine; ISTR an ActiveX vuln that had the behavior of installing even if you said "no" to the trust dialog.)

Re:Wait...

[Anonymous Coward]

This has nothing to do with hosts files or the like... They didnt give you enough information and they didnt give you enough options

Question 1 of 8: Screensavers: Pick the safe site.

I dont care which one is safe i wouldnt download that crap anyway...

Question 2 of 8: Smileys: Pick the safe site.

I dont care which one is safe i wouldnt download that crap anyway...

Question 3 of 8: Free Games: Pick the safe site.

I dont care which one is safe i wouldnt download that crap anyway...

Question 4 of 8: Lyrics: Pick the safe site.

I dont care which one is safe i would never leave something as buggy as activex enabled! and i use firefox anyway...

Questions 5-8 of 8: File Sharing

I dont care which one is safe i wouldnt download closed source executable binaries from any of them!

Re:Wait...

[SirSlud]

If you installed the host blocks, you know how to remove a few lines.

If the study is taken at face value (which I think might be reasonable if you're on crack), then all its saying is that you'll remove the screensaver.com block from your hosts file.

My personal opinion is no study was needed; if there is a something-for-nothing proposition, and you take it without being 100% sure of multiple, non-associated sources stating that it really is something-for-nothing (like a good freeware app like Blender, or a trial or lite version of a respected commercial package), you will be paying somebody for something.

Many intelligent, successful people still believe theres such a thing as a free lunch that you dont need to run background checks on. There are none. If the lunch is free, then make sure you've spoken to people you know and trust who've taken the offer before you, or you might as well write "guinea pig" across your forehead in magic marker.

Basically, avoid the word 'free'. As soon as free is the top selling point of anything, it isn't. Its either spyware, or upsell.

Re:Bogus Statistic

[orangesquid]

If you're not on windows, you're probably not going to be visiting mcafee's site.

it should read "3% of visitors to mcafee's site who took a spyware quiz are unable to spot every spyware site from a screenshot of part of the webpage."

Re:Wait...

[phlipped]

Using host files to avoid certain sites is a kludge.

While it may be simple and effective, the hosts file is not the right place to block access to certain sites.

Blocking should be done by the browser itself or by a firewall, proxy, or some other software gatekeeper expressly designed for the purpose. Such an agent is theoretically able to perform a multitude of functions related to site blocking, such as temporary unblocking, content filtering (ie allow the HTML through but nothing else, or strip out javascript, or whatever), authentication for unblocking, management of blocked groups (eg separate black lists for porn, spyware, anti-chinese-government content).

Hosts files don't allow any of these functions, and are easy to bypass by using an ip address instead of a domain name. By skewing their function into a server filter, you are more likely to run into problems and frustrations, esp when you also want to use the hosts file for its intended purpose - to map names to ip addresses. It's going to be pretty annoying when someone makes a typo in the hosts list and you can no longer get to some site because the "connection was refused".

In short... Hosts file as a filter is an effective kludge for now, but a better solution is to use a ... better solution designed for the purpose of filtering (if one exists).

Re:No kidding.

[Joel from Sydney]

I get the sense they rigged the thing just to premote the software. it's such a poorly designed a survey that I would have supsected it even if they had no mention of the software anywhere near the survey.

I got pretty much the same feeling from doing the test, and I got a 6 out 8 (go me!). The first choice (between screensaver sites) was just an absolute joke, there was literally no information on which to base your choice! Except of course that one site looked like it was designed in NetObjects Fusion, and the spyware site looked like a "Learn HTML in 21 minutes!" special.

The only other thing I'd add to your comments is that the presence of a forum seems more likely to indicate safety. Most of the "safe" sites had a forum section, most of the "unsafe" sites don't. Obviously this isn't a hard and fast rule, but a forum where people can complain about the spyware they just downloaded would tend to scare prospective victims away.

Re:Wait...

[Gary W. Longsine]

This "loopback evil sites host file" is fine as far as it goes, and I've recommended this as part of a prevention strategy for clients before.

However, the notion of "trusted web sites" is bogus and dangerous (e.g. in web site security, "evil sites are not to be trusted" may be true, but the converse is not necessarily true -- web sites that are not known to be inherently evil are also not "trusted". Companies that build them and run them and put them on the internet for you to puruse don't even trust them. They put them on "sacrificial hosts" in a "DMZ". The *owners* of these web sites don't trust them. Why should anyone else?

The notion of the "trusted web site" is dead. Stone cold it's not pining for the fjords because if it hadn't been nailed there it would be pushing up the daisies, dead.

Take the test

[SmallFurryCreature]

I was suprised with my own results.

The reason is simple. The test is loaded.

You are asked to choose between various free sites and have to judge just buy a screenshot wich one is save. That of course is very hard to do. Worse is that you can't choose the answer "none of the above" wich I think is the only real answer.

Frankly I wouldn't trust any screensaver or smiley site. Period full stop end of story.

Oh and as for people using virus scanners. Well yeah. Because others have hit them over the head and tied them to a chair and then installed the virus scanner for them and then trained them with a cattle prod not to remove it. They still go out of their way to make live hard for the virus scanners and still basically just get it.

Virus scanner == safety belt. Wearing a safety belt doesn't make you a safe driver.

It only takes common sense to keep your machine clean. Right the same common sense that tells you to limit your speed in dangerous road conditions?

Common sense is a misnomer because whatever it is it sure as hell ain't common.

Wrong approach, bad advice

[@madeus]

No, that's the wrong approach entirely (a little knowledge can be a dangerous thing indeed), you can't possibly hope to keep track of all the hosts required, it's a losing battle.

The correct approach is to use better software, that blocks Spyware by design.

Re:Completely impractical

[Random Destruction]

cars work just fine without knowing much about their inner workings, and computers don't.

That sounds like a geek's opinion rather than a mechanic's. Its all a matter of perspective (except on the sweater front).

Re:Wait...

[trewornan]

Right, I don't believe there's any way you could know which is right from the information provided. Effectively the quiz asks you pick randomly from two choices and then claims that since you almost inevitably get some wrong you're in danger of downloading spyware. It's only true if you download stuff from websites by guessing whether they're trustworthy.

Next week "how water is wet".

Question 9

[SlappyBastard]

Should be a screen with a site running in FF and another in IE.

I found the test to be a classic push poll approach.

This is like lining up 16 Nigerian hookers, two at a time , and asking you you to screw one and see if you get AIDS. Well, statistically one in four has AIDS, so by the 16th hooker, you have AIDS -- guaranteed.

But, would you actually screw a Nigerian hooker? Not if you had any knowledge of what you're getting into.

Anyone who goes to a free screensaver website deserves every single virus they ever get. In fact, they deserve to be booted in the head.

The test is rigged in a fashion that ensures that even competent people end up in the mid-range.

In all seriousness, how many web savvy people are going to the types of sites they depict? None.

Re:Wait...

[niiler]

That was exactly my feeling upon looking at the "quiz". There are certain computer extras such as closed source screen savers and smileys which are, in my own experience, nearly always bundled with spyware. These are simply products to avoid. The "even experienced users picked the wrong one" argument is a misdirection. Most experienced users won't go looking for this type of crap (and will recognize the quiz for the poorly constructed trap that it is).

That said, I'm starting to get concerned about closed source applications such as Diamond Crush [kde-apps.org] showing up on apps.kde.org. Some of these are much more appealing to geeks. Also, I have wondered what sort of peer review is done on packages at repositories such as www.slacky.it or www.linuxpackages.net. It's nice to be able to download precompiled binaries of open source products that don't come with your distro, but....when I download something from slackware.com or vectorlinux.com, I don't have the same sense of worry about unpleasant easter eggs.

Cheers.

Re:So? I took the test on opera/linux

[ivan256]

Anyway perhaps linux users are even worse. How many of use just install packages from your distro without ever checking who actually wrote them?

Who cares who wrote them? The packages should be signed by the distributor. Presumably you trust the distributor or you wouldn't be running that distribution.

Re:No kidding.

[Ford Prefect]

I scored eight out of eight. I'd never heard any of the sites before, beyond the eMule and Kazaa ones - and those I've never used. All I used was information presented to me in the screenshots.

It was an easy test, and was full of clues.

• Screensavers: One site gives the licence for each download, and usually the price if it's shareware - the 'Order Now' link at the top suggests this is how the business makes its money. The other just provides downloads - and doesn't have any ads. How does this service make its money? Guess.
  
• Smilies: One has 'FREE' in giant letters, the other has a 'BUY' button. Which is the safe one?
  
• Games: Bit trickier, but one is 'FREE-FREE-FREE' all over, the other has a forum, a FAQ and a contact page. One's too good to be true, the other sounds like it's run by enthusiasts.
  
• Lyrics: Tricky again. But one claims to be built by its users and has a pitifully small selection of requests to complete its database (to be submitted by email to a generic address, too) - the other seems to have been running since 2000 and has links to request and submit song lyrics. Plus a guestbook and a advertising sales link - hardly things to provide if your business strategy involves pissing off your visitors.
  
• Filesharing: Okay. A list. Bearshare: it's a 'sponsored download' (hmmm...); eMule is open source, has forums, a shop and a donations link (again, things you wouldn't have if you pissed off your users); Blubster is '100% free!' with no on-site advertisements or other obvious means of deriving revenue, and Kazaa is 'NO SPYWARE', but is 'FREE' - and again with no obvious means of making money.
  

There you go. All the information for scoring eight out of eight. Easy!

Essentially, think about how the website is making its money. If it's pushing something desirable as free, then it's suspicious - so unless it's obviously run by enthusiasts and has an easily-contactable community behind it, then there's almost no such thing as that proverbial free lunch...