There are so many sites that pop up every day peddling what appears to be AM (anti-malware) software for your PC that it's hard to keep them straight. The sad fact is that the vast majority of them are actually malware themselves. How do you know which ones are safe, and which ones are just going to infect your computer with nastiness?
I found one such site today which, after lots of investigation I concluded is a "scare-ware" site... Scare-ware is useless software that effectively lies to you and tries to scare you into buying it to remove some monumental threats which most often aren't real. It's a fascinating business model that generates real money in the tens of thousands to hundreds of thousands (or possibly even millions) of dollars.
That being said, these people want to lure you in, and get you to give them money - so I'm going to walk you through some steps to determine if a site you've stumbled across, or been directed to, is real... or phony.
I'm working with a real scare-ware site called "AntiSpyware.com". You can either follow along or insert a site that you want to investigate yourself...
First off, you're going to want to investigate who owns the domain. While AntiSpyware.com looks very official, let's see who owns this domain. Network Solutions (www.networksolutions.com) has a landing page wherein you can type in a domain and it will retrieve the "whois" information.
Straight off I would focus your attention on the redirection to who.godaddy.com, which means that you'll have to go elsewhere for the "real" answer.
Pasting that into a browser, it becomes even more clear that this site is dodgy. Most sites that are legitimate will easily identify the owning company, contacts and such. Look up any legitimate company, or your own employer, and you'll see what I mean.
Now, let's look at the GoDaddy.com record for AntiSpyware.com. Do any alarms go off in your head?
You'll notice someone went to some pretty great lengths to mask the ownership of the domain. In fact, the site DomainsByProxy.com has an entire business model centered around this type of priavcy, allowing you to register domains through them, without having to provide your personal details on the registrant's site. That's brilliant... brilliantly evil that is.
A quick scan of the DomainsByProxy landing page immediately reveals that they have a legitimate purpose - that is to protect people's personal information from being put up on the Whois registry - which is being abused here to mask and hide obvious criminal activity.
So far we know that the site doesn't appear to be owned by any "honest" company - as far as I know when I check out TrendMicro, Kaspersky, or even Symantec their Whois records are all public - go look for yourself or follow the links.
Now, so far we've been able to determine the site is shady simply by investigating its reputation based on Whois record. This by no means should be your only step to determine the legitimacy of a site or its content... but it's a great start.
Armed with this information let's look at site linking, meaning, how well-linked is this site and where do links to this site come from? Often who links to a site is a wonderful indicator to what the site contains.
I've been using WhoLinksToMe.com for a while to determine site legitimacy, because they have a wonderful output even for the anonymous user. Check out the results for AntiSpyware.com...
What immediately attracted my attention is that the site has a very poor PageRank for a "legitimate business"... I mean, this blog you're reading on some days has a higher PR than that! A PR of 4 means that the site isn't very well linked from other legitimate sites, and that the content has not been well-received by the Googleplex :)
Look at the keywords too... the number one search term is "all in one keylogger key" ... how interesting. You'll also find that the key search terms for this site (after some digging) are ones like "antispyware, free, windows spyware remover..." Bells should be going off right about now. Now look at the BackLinks... that's where links to this site are posted on...
I recommend going to Google and simply typing "link: InsertYourDomain.tld"... here are some examples for AntiSpyware.com:
- DNForum.com where someone claims that AntiSpyware.com was sold for 550,000EUR (link)
- StatBrain.com link which gives you some idea of how much traffic is generated here, and why someone might pay 550,000EUR for the domain (link)
- A link to an interesting "review" of the site/product (link)
When all else has been checked, and you're still not sure... look at the site. Does it look "too good to be true"? If so it probably is! Additionally, look at the link structure for the site... does it try and suck you in? Are all the links pointing to "BUY THIS NOW"?
If you're still thinking that the site has a legitimate (free) product... then download it and bounce it off of a site like VirusTotal.com --> setup.exe analysis
This one, boys and girls... is obviously evil! I hope you've learned something, and can take this back and apply it the next time you see a sketchy site trying to sell you a fix for a malware problem you may not have.