Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 3 August 2009

Bad guys go nuts on SiteAdvisor

Presumably in an effort to undo the work done by us good guys, it seems the bad guys are now going absolutely nuts on SiteAdvisor, deliberately mis-rating good sites as bad, and bad sites as good.

This user for example, who rated a slew of malicious sites as bad, and a few good sites (, and err - this blog?) as bad;

How do we know who these guys are? Well lets take one random site they rated as good,;

Who is this site? Well, Google had quite a bit to say, that kinda contradicts this user;


What happened when Google visited this site?

Of the 349 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-08-02, and the last time suspicious content was found on this site was on 2009-08-02.
Malicious software includes 219 scripting exploit(s).

This site was hosted on 1 network(s) including AS49314 (NEVAL).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 147 domain(s), including,,

For additional kicks n giggles: Google Diagnostic page for AS49314

mcafee-malware is hosted at (NEVAL - Individual retailer Nevedomskiy A A). Not surprising of course, the CNET, shows it hosts a slew of exploit and other malicious domains, and 91.212. hosts over 800 malicious domains (the history shows over 1000!!), including;


You'll no doubt not be surprised to learn, the 91.212.* ranges, are all Russian/Ukranian owned and controlled.

So how do you find the malicious reviewers then? That's an easy one - just look at the good guys pages on SiteAdvisor, for example;

Where you'll find PhantasimLies2001, or;

Or ... well, you get the idea. Just some of the fake reviewers we've identified thus far include; coloradoChris-is-a-Liar Mc-Afee-Allows-Lies Mc-Afee-Allows-Lies2 Mc-Afee-sucks Mc-Afee-charged-w-fraud stop-bashers2001 sharons-lies Phantasim-lies Phantasim__lies PhantasimLies2001 Phantasim-Lies2001y stop-bashers2003 stop-bashers2004

Special thanks to the ladies and gents that gave me a heads up!.

Sadly, this is one of the downsides to sites such as SiteAdvisor, MyWot, OpenDNS etc etc etc, that allow user based ratings - they're ripe for abuse.


Unknown said...

Thank you very much for your fantastic support.

Every Internet user should be made aware of the HOSTS file in their very first hour they learn to use a computer.

Thanks again, when can we expect a HpHosts update please ?


MysteryFCM said...

My pleasure :o)

I'm hoping to have an update out by the weekend.

Unknown said...

The bad guys might be someone else, according to this blog.

MysteryFCM said...

That actually appears to be an seperate incident.

Unknown said...

It may well be different. But they are targeting exactly the same people at exactly the same time. And you list exactly the same domains that myWOT does. See their nonsense at and make sure you read the comments.

MysteryFCM said...

I couldn't help but LOL when I saw this one;

Me thinketh someone duth not understand PhishTank's "phishing data".

I'm not even going to bother commenting on the rest.

Not really surprising that it's hosted with;


Chr!s said...

Wow. Do scammers have nothing better to do than follow around legitimate users and go against them just for the hell of it? Good luck with that grammar too! People just have no gray matter in their heads anymore. You think mcafee would have a better way of stopping this kind of thing.

ThreeStarsWatch said...

I wrote (at least some of) the blog Ayman mentioned but I don't know if there is any connection to this case. No doubt such sites get attacked all the time for various reasons.

I would actually be surprised if Three Stars did not attack SiteAdvisor as well, they are blacklisted there too. If we find any connections we'll make sure to post them.

Unknown said...

I use HostsMan to update my hosts file automatically.. Strongly recommended!..

Unknown said...

Aha. But what's this? Interesting link there.

ThreeStarsWatch said...

Heh you're right, it seems they already attacked SiteAdvisor long ago...

This is probably what it was about, and they're not related to Three Stars AFAIK: