Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Web Hosting a Fount of Malware

Posted by Hemos on from the bad-times dept.

daria42 writes "It looks as if free Web space services are increasingly being used to host spyware, with Internet security firm Websense claiming more of such dodgy material was found on free hosting services during the first two weeks of July than in May and June combined. "These fraudulent, free personal Web sites have an average lifespan of two to four days, making them difficult to trace," said an executive from the company."

24 of 203 comments (clear)

  1. What are you gonna do? by gbulmash · · Score: 4, Informative
    Free sites are used as gateways to all sorts of dodgy propositions... malware, porn spam, etc. It's because they're so easy to get with fake identity info. Maybe they record your IP address, but you can start building your site at some free hosts without even having your e-mail address confirmed, and it's possible to disguise your IP address.

    I'd say that the gov't should make these companies provide more authentication, but all it would do is prove a barrier against legitimate users while the criminals would just find a way around.

    Outlawing free/homesteading sites would be likely be found unconstitutional in the U.S. and it would be a big fight to remove the safe harbor provisions for such sites to make them responsible for their users' malicious activities. I really don't know what we could do at a legislative level. At a personal level, I just refuse to visit any sites at angelfire, geocities, et al.

    - Greg

    --
    Start a happiness pandemic
    1. Re:What are you gonna do? by fastgood · · Score: 5, Funny

      I'd say that the gov't should make these companies provide more authentication

      Or the way privacy is going these days, charge a $0.01 setup fee payable only by credit card.

    2. Re:What are you gonna do? by Jason1729 · · Score: 4, Insightful

      So you refuse to visit any site at a big name free host.

      That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them. What a dangerous attitude.

      Besides that, there are thousands of free web hosts just because you know the names of 10 or so of the largest doesn't mean you aren't visiting others.

      Even if the majority of dodgy sites are hosted on free sites, the majority of content on free sites can be quite valuable.

      As part of political free speech it should be constitutionally protected that free sites can operate without collecting personal information if they want. If the government forces personal authentication, they can track you if they don't agree with what you say. That will inhibit what legetimate messages you're comfortable posting, and it would be a serious blow to free speech.

    3. Re:What are you gonna do? by fireboy1919 · · Score: 4, Interesting

      I think it's pretty clear that the problem is the same as spam: the opportunity cost is too low.

      There are many, many things that one could do to make it reasonable. You could have them send a $1 bill, or pay a similar trifling amount through an online broker, or even require a waiting period during which content is machine-inspected for scamming.

      I personally use a "free" server that pretty much keeps spam at bay by requiring a $1 bill sent through the mail in order to gain memebership.

      --
      Mod me down and I will become more powerful than you can possibly imagine!
    4. Re:What are you gonna do? by Osrin · · Score: 4, Insightful

      That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them.

      Alternately, you're saying that you have no interest in what poor people have to say.

    5. Re:What are you gonna do? by gbulmash · · Score: 4, Insightful
      That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them.

      Alternately, you're saying that you have no interest in what poor people have to say.

      Actually, before these sites became such a wasteland of porn spam and malware, I stopped visiting them because they were some of the worst abusers of pop-ups, pop-unders, and other annoying advertising methods. The growing abuse of these services by spammers and other scum merely cemented my resolve to avoid them.

      Sure, you lose out on some gems, but there is MORE than enough out there in the areas I will visit to compensate for what I'm missing. The amount of interesting information on the Internet increases faster than any one human can keep up with (except for my friend who, after a badly broken leg and 3 months on bedrest, came back to work and said he used all that time to "finish reading the Internet"). If my filters leave out some valuable voices in the free-web-o-sphere, I've still got LOTS of interesting and valuable choices remaining.

      - Greg

      --
      Start a happiness pandemic
  2. Only last so long by Anonymous Coward · · Score: 5, Insightful

    Next thing you know, the malware authors will just host stuff from infected PCs. I'm sure you can run a basic web server pretty easily.

  3. Free?! by Anonymous Coward · · Score: 4, Funny

    I've been paying GoDaddy to host my Malware all this time?!

  4. Suprise, suprise. by rmccann · · Score: 5, Funny

    Spammers and crackers abusing free internet facilities?! Perish the though.

  5. How to trust ANY new web service? by Ohmster · · Score: 4, Interesting

    It's not just fake hosting services with malware and other phishing scams. It's getting so that one gets suspicious of any kind of new service that crops up on the web. The other day, I got excited seeing this service that promised to turn my blog contents into a printed book. I tried it, but then got worried that it was a phishing scam. And cancelled my attempts to use the service. What does mean for the promise of "web services" in general? More on the "blog into book" experience here: ahref=http://mp.blogs.com/mp/2005/07/s_11.htmlrel= url2html-21790http://mp.blogs.com/mp/2005/07/s_11. html>

    1. Re:How to trust ANY new web service? by pentalive · · Score: 4, Insightful

      This is pretty bad, I was applying for a job - I was contacted by someone who said they were with a large employer here in CA, after some short question and answer they emailed me some forms that I was to print out and fill in, and fax back. Part of the process before any real interviews was a "background check" form. That form had everything an identity theif needs, ssn, old addresses, Jobs, Date of Birth all kinds of thinks. That added to the fact that these people's email address differed from the employer the said they were from.. It turns out that the applications and the Job was on the up and up, but I wonder...

    2. Re:How to trust ANY new web service? by patio11 · · Score: 4, Interesting
      That would be a NASTY phishing scam.

      "Hello, we are Human Resources Solutions International. One of our clients has contracted with us to process your recent job application. You have the option of either waiting for our letter to arrive via registered mail or entering your data in our secure web server located at https://www.scamyourbuttoff.com./ Please note that your application cannot proceed until we have completed our investigation, so it is in your best interest to respond promptly. Thank you and if you have any questions about your employment process please mail Mary Jo at nevergetareply@scamyourbuttoff.com."

      Fire that off to 100,000 people and I'll bet probably half of the ones actively doing job searching will go to your website without a second thought.

      --
      Help poke pirates in the eyepatch, arr.
  6. Convoluted to sign up? by Anakron · · Score: 3, Interesting
    From TFA:
    They make you type in a word that has been obscured as an image to stop them from being set up automatically

    Does anyone know how effective these schemes really are? Is there a study that measures how effective this is?
    --
    There are 11 types of people. Those who understand binary, those who don't and those who are sick of this lame joke.
  7. wondering... by eobanb · · Score: 3, Interesting

    I was wondering, how do these people typically register accounts with free web services? Our site was having a problem with comment spam, so a CAPTCHA test tends to do the trick basically all the time. On the other hand, I've also heard about defeating the test by starting a porn site and then taking the image and showing it to visitors and basically just having them type the right answer and they get to see 10 pictures or something. What we ended up doing was a word riddle, like "The quick brown fox jumped over the lazy ___s" or "3 + 5 = _" So if automated registering of these accounts is a problem, that's what I would suggest. Or you could surely just prohibit any files with a .bat or .exe or .whatever extension, and only allow .html, .gif, .jpg, .png, .wav, .txt, and a few more. I mean, if it's a free service, you get what you pay for. If you really need to host programs it shouldn't be too much trouble for you to buy something for $5/month. All in all this doesn't really seem like that outrageous of a problem.

    --

    Take off every sig. For great justice.

  8. Re:Who would have guessed??? by superpulpsicle · · Score: 4, Interesting

    The dilemma is... if they got rid of free hosting. Then only those who can afford $$ monthly hosting bills can host. It's tough to shoot for democracy when only people with money can have a voice online. Let's not tear down the tree and the whole neighborhood due to a couple bad apples.

  9. CAPTCHAs (was Re:Convoluted to sign up?) by gbulmash · · Score: 5, Informative
    They make you type in a word that has been obscured as an image to stop them from being set up automatically

    Does anyone know how effective these schemes really are? Is there a study that measures how effective this is?

    The type-in is called a CAPTCHA (an acronym for "completely automated public Turing test to tell computers and humans apart"). They can be fairly effective, but all they do is block robots from setting up an account. If I need 10 accounts, I don't necessarily need to automate it. CAPTCHAs are more often used effectively to block bulk botting stuff like blog spam, signups for free mail accounts, or other services (like whois at Netsol.com or Godaddy.com) prone to abuse and they can work well if well designed. But, again, they're to prevent robots from doing something, not humans.

    Now, as CAPTCHA's get more obscured to try to defeat more sophisticated OCR elements, they become more difficult for humans to read. I recently developed one that I may use on some of my sites that uses identifying the contents of pictures. Demo here. Some of the people I've had test it said it was fun and they actually played it like a game.

    - Greg

    --
    Start a happiness pandemic
    1. Re:CAPTCHAs (was Re:Convoluted to sign up?) by morcheeba · · Score: 4, Interesting

      I thought CAPTCHAs would be pretty effective, until I heard of this cool scheme to get around them:

      1. Spammer X wants to sign up for 100 free email accounts at free-accounts-Y.
      2. Spammer X has a small cache of porn.
      3. Spammer X puts up a website to allow access to his porn & promotes it
      4. To see Spammer X's porn, Joe Average must sign up at Spammer X's website.
      5. Signing up involves, you-guessed-it, a CAPTCHA!
      5a. Joe requests to sign up
      5b. Spammer X requests an account at free-accounts-Y and gets a CAPTCHA request.
      5c. Spammer X presents this same request on their website to Joe
      5d. Joe solves the CAPTCHA and returns the info to Spammer X
      5e. Spammer X passes that info to free-accounts-Y
      6. Repeat steps 5a-5e for lots of Joes. Result: lots of email accounts for Spammer X.

      As long as the CAPTCHA is not impossible, people will process them for you for almost free.

      --
      HIV Crosses Species Barrier... into Muppets
  10. Re:Who would have guessed??? by generic-man · · Score: 3, Insightful

    Only people with money can get on-line. The vast majority of blogs and forums out there (Slashdot included) are populated entirely by people wealthy enough to afford an Internet connection of some sort. You don't see working-class people at the library updating their politiblogs because OMG did you see what Koz said this morning about the deficit what a total wonk I am totally trackbacking him right now!!!

    --
    For more information, click here.
  11. Websense is a Censorship Firm by Anonymous Coward · · Score: 5, Insightful

    Calling them a "Security" firm is whitewashing who they really are.

    read the article on Censorware.

  12. Re:Fount? by tidewaterblues · · Score: 5, Informative

    Actually, fount is the British and the old poetic spelling of font. When this spelling is used, it generally means a fountain, spring, or source. Using the modern spelling, a font refers to a basin for baptizing people or holding holy water, (sometimes also called a laver), although it can refer to the old useage as well. However, I don't think the word can be used to mean "plethora".

    --


    ...En að Besta Sem Guð Hefur Skapað Er Nýr Dagur
  13. Re:Fount? by Compholio · · Score: 3, Informative

    However, I don't think the word can be used to mean "plethora".

    I've actually heard it a whole lot, but my parents were always big on vocabulary. At least in US English there's no "u" in font though:
    http://dictionary.reference.com/search?q=font

    Specifically:
    An abundant source; a fount: She was a font of wisdom and good sense.

    (you have to look at fount to see that the "u" is deprecated)

  14. Re:Kill two birds with one stone. by wibs · · Score: 4, Insightful

    I hope you're not serious.

    People that don't know even the basics of HTML, or how to create a website shouldn't be allowed

    You're right, only people who already know everything should be allowed to attempt anything. Let's keep math books out of schools and close the freeways, because only mathematicians and NASCAR drivers have any right to numbers and cars. I don't know about you, but my first site was almost 10 years ago on Angelfire, and it was crap as all of them are. Then I bought books, viewed source, and have done a number of sites professionally with all that fancy high-tech wizardry I never would have even known existed if I hadn't started somewhere.

    Maybe this would also get rid of the million's of those MySpace or Piczo type websites that plague the internet with the writings of illiterate 13 year old girls.

    Sure, their sites might be pointless and juvenile, but I can't remember the last time I spent an hour reading a site before slapping my forehead and saying "Oh, now I understand why this sucks, it was written by a 13 year old!" That just doesn't happen, because the only people who ever end up at those sites are the 13 year olds who write them and their other 13 year old friends. This "plague" does not affect most people in the slightest, and if it affects you then perhaps you shouldn't be allowed to use the internet because of a lack of basic navigation skills.

    People can be so quick to discourage and dismiss beginners, it makes me wonder how anybody ever learns anything.

    --
    If you get nervous, just remember that there are a few billion other people who don't really give a damn.
  15. In Other News... by __aaclcg7560 · · Score: 3, Funny

    Researchers have discovered that the Microsoft Windows operating system (all flavors) has been hosting spyware, virus and other malicious crap that comes off the Internet and spreads it to other computers attached to the same LAN at a faster rate than any other time in the last 10 years. Microsoft released a statement saying that Windows does it better than Linux and encouraged all users to immediately upgrade to Windows Vista. :P

  16. The Register has a slightly different take by Anonymous Coward · · Score: 3, Interesting

    John Leyden at The Register has a slightly different take on this story. Essentially Websense is a company trying desperately to sell its "security products" through a campaign of FUD and blatantly obvious "alerts". I think most people here see this as the latter, while most of Websense's target audience probably fall into the former target audience.