As an offshoot of our work on phishing, we’ve been getting more interested generally in reputation systems. One of these systems is McAfee’s SiteAdvisor, a free download of a browser add-on which will apparently “keep you safe from adware, spam and online scams”. Every time you search for or visit a website, McAfee gets told what you’re doing (why worry? they have a privacy policy!), and gives you their opinion of the site. As they put it “Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites (including of our own site) and are enhanced by feedback from our volunteer reviewers and insights from our own analysts”.
Doubtless, it works really well in many cases… but my experience is that you can’t necessarily rely on it 🙁
In particular, I visited http://www.hotshopgood.com (view this image if the site has been removed!). The prices are quite striking — significantly less than what you might expect to pay elsewhere. For example the Canon EOS-1DS Mark II is available for $1880.00, which frankly is a bargain : best price I can find elsewhere today is a whopping $5447.63.
So why is the camera so cheap? The clue is on the payments page — they don’t take credit cards, only Western Union transfers. Now Western Union are pretty clear about this: “Never send money to a stranger using a money transfer service” and “Beware of deals or opportunities that seem too good to be true”. So it’s not that the credit card companies aren’t taking a cut, but it is all about the inability to reverse Western Union transfers when the goods fail to turn up.
Here’s someone who fell for this scam, paying $270 for a TomTom Go 910 SatNav. The current going prices — 5 months later — for a non-refurbished unit start at $330, assuming you ignore the sellers who only seem to have email addresses at web portals… so the device was cheap, but not outrageously so like the camera.
I know about that particular experience because soemone has kindly entered the URL of the consumer forum into McAfee’s database as a “bad shopping experience”. Nevertheless, SiteAdvisor displays “green” for website in the status bar, and if I choose to visit the detailed page the main message (with a large tickmark on a green background) is that “We tested this site and didn’t find any significant problems” and I need to scroll down to locate the (not especially eye-catching) user-supplied warning.
This is somewhat disappointing — not just because of the nature of the site and the nature of the user complaint, but because since the 15th March 2007, www.hotshopgood.com has been listed as wicked by “Artists Against 419” a community list of bad websites, and it is on the current list of fraudulent websites at fraudwatchers.org. viz: there’s somewhat of a consensus that this isn’t a legitimate site, yet McAfee have failed to tap into the community’s opinion.
Now of course reputation is a complex thing, and there are many millions of websites out there, so McAfee have set themselves a complex task. I’ve no doubt they manage to justifiably flag many sites as wicked, but when they’re not really sure, and users are telling them that there’s an issue, they ought to be considering at least an amber traffic light, rather than the current green.
BTW: you may wish to note that SiteAdvisor currently considers www.lightbluetouchpaper.org to be deserving of a green tick. One of the reasons for this is that it mainly links to other sites that get green ticks. So presumably when they finally fix the reputation of hotshopgood.com, that will slightly reduce this site’s standing. A small price to pay! (though hopefully not a price that is too good to be true!)
You could just not link to the hotshopgood site, but instead include the URL as plain text. Then you’re not linking to it, but it’s obvious to readers what you’re talking about.
a) it makes it harder for people to look for themselves
b) it would ruin a good joke 🙁
Fair enough, carry on. 🙂
Is SiteAdvisor really set up to handle this? I thought it was about avoiding sites that host malware (which can obviously be automatically tested) rather than guarding against sites backed by fraudsters?
SIteAdvisor claims to “keep you safe” from “online scams”.
If it doesn’t in fact do this (and the site I looked out is the rule rather than the exception) then this would presumably be a matter for the ASA!
Fair enough, I clearly misunderstood your intentions. You’re right that if the public think this service “keeps you safe from online scams”, then sites such as the one you found must be flagged.
Sorry, last comment should have said “their intentions”.
However, another thing occurs to me: it will be hard for McAfee to make decisions on who is a scammer and who isn’t. For example, if they react to a single negative comment to change their rating, I could potentially extort money from, e.g. Amazon, by posting a negative comment about with SiteAdvisor. Where do you draw the line between protecting customers and protecting honest retailers. Surely the only way McAfee could be sure this site was a scam was if they actually attempted to buy something from it themselves? Indeed, this might be what the average user takes from the message “we tested this site”, since how can you test a shopping service without actually shopping? McAfee could of course use behaviour indicators to judge, e.g. uses Western Union, likely to be a scam, but I think they need to change the public perception of what this service does (by changing messages displayed) or change the service to match up to the public perception (likely to be difficult to achieve).
I think Byron has hit the nail on the head with this last. Plenty of companies offer, e.g. malware filtering and market it as such. In this case, the marketing seems to have written cheques that the product can’t cover.
Speaking of reputation systems and the web, you might be interested in WOT. Still work in progress though.
Byron said: “Surely the only way McAfee could be sure this site was a scam was if they actually attempted to buy something from it themselves?”
There is indeed a problem in being sure about assessments, and there may well be sites that are far less clear than this one — where the prices, the payment method, the community opinion, the history of related sites all point to a single conclusion.
However, it is a problem of their own making! McAfee advertise that they provide a particular service, and if it’s an impossible service to provide then the solution is for them to stop misrepresenting their abilities, not for others to find excuses for their failure.
Hi, this is Shane Keats from McAfee SiteAdvisor. Thanks for bringing this site to our attention. You’re right that our focus is on malware and spam. We systematically test for drive-by exploits, adware/spyware in downloads, phishing, spam, pop-ups and bad linking practices.
We do some human review of misleading business practices (like offering free ring tones but bury in the fine print that the ring tone automatically subscribes the user to an expensive monthly subscription.) We are working to do more in this area.
You’re also correct that we don’t test e-commerce sites by making purchases. One of the reasons for offering McAfee SiteAdvisor reviewers the chance to rate sites for their e-com experience is because we don’t have an automated (or affordable!) way to test this.
We’ve got a bunch of failsafe’s built into the reviewer system so that one bad shopping experience can’t cause Amazon to go red, or even a small business to go red for that matter.
Also, to be clear we do not keep any personally identifiable information. Period. We don’t purge it either because we don’t keep it to begin with. We know what site you visit because we have to tell you our test results for it, but that’s totally anonymous. Here’s an analogy. You’re a tourist in London. You walk up to a guide called McAfee SiteAdvisor and say “Is Hyde Park safe?” McAfee tells you its findings and then immediately forgets who asked it.
Feel free to send us feedback at http://www.siteadvisor.com/feedback.html
Or e-mail a criticism to complaints shift 2 siteadvisor.com
Thanks.
Richard said “However, it is a problem of their own making! McAfee advertise that they provide a particular service, and if it’s an impossible service to provide then the solution is for them to stop misrepresenting their abilities, not for others to find excuses for their failure.”
That’s what I was getting at with my earlier comment. For example, I buy a malware scanning service from ScanSafe. They market it as “Web malware scanning” not “protection from scams”, which is how it should be.
Shane said “Or e-mail a criticism to complaints shift 2 siteadvisor.com”
That’s a nice way of munging an email address, but it assumes a US keyboard layout. The UK keyboard I’m typing on right now would require a shifted apostrophe instead 😉
When linking to sites like hotshopgood, you should consider using the rel=”nofollow” tag so that they don’t benefit from your PageRank.
http://en.wikipedia.org/wiki/Nofollow
I was tagged yellow for “Possibly advertising in junk emails” I have never advertised in any emails but according to the dings at SiteAdvisor….. When we visited this site, we found that it may advertise in junk e-mail.
It is not surprising that McAfee isn’t capable of reviewing the intentions of a site maker, or the validity of its business claim (e.g., is this a real store?) — they specialize in malware, and so that’s what they know how to look for. Besides, that analysis can be automated, whereas checking fraudulent activity is very human-intensive. (Although they are welcome to ask aa419.org for permission to use our database!)
I found SiteAdvisor’s analysis of aa419.org to be amusing:
Actually, we have thousands and thousands of links to sites that are dangerous and fraudulent 😉 I can only assume they count links, and evaluate the ones which are most frequent (and/or are in SiteAdvisor’s records already).
Another example is FreeCreditReport.com . As you know, they trick people into signing up for a ‘free trial’ that if not cancelled in 7 days, auto-renews at $14.95 every month. Yea, you don’t hear them mention it ever except in small text at the top of the page.
At Web of Trust users properly noted the problems with this company and its D rating at the BBB (11,500 complaints in last 36 months).
At SiteAdvisor it is a fulL GREEN *despite* the countless negative user reviews of that site. I imagine they paid for this, as McAfee has been hounding me to pay for such a service. That is how it works. You pay thousands a year, you get GREEN if there is no malware detected (I doubt they care if any really exists or not). If you don’t pay, you hope there are no mistakes. If there are, it takes at least 3 months for them to fix (as it did in my case, and in the case of countless others).