Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

Free Web Hosting a Fount of Malware 203

daria42 writes "It looks as if free Web space services are increasingly being used to host spyware, with Internet security firm Websense claiming more of such dodgy material was found on free hosting services during the first two weeks of July than in May and June combined. "These fraudulent, free personal Web sites have an average lifespan of two to four days, making them difficult to trace," said an executive from the company."
This discussion has been archived. No new comments can be posted.

Free Web Hosting a Fount of Malware

Comments Filter:
  • by gbulmash ( 688770 ) * <semi_famous@noSpAM.yahoo.com> on Wednesday July 27, 2005 @05:46PM (#13180966) Homepage Journal
    Free sites are used as gateways to all sorts of dodgy propositions... malware, porn spam, etc. It's because they're so easy to get with fake identity info. Maybe they record your IP address, but you can start building your site at some free hosts without even having your e-mail address confirmed, and it's possible to disguise your IP address [slashdot.org].

    I'd say that the gov't should make these companies provide more authentication, but all it would do is prove a barrier against legitimate users while the criminals would just find a way around.

    Outlawing free/homesteading sites would be likely be found unconstitutional in the U.S. and it would be a big fight to remove the safe harbor provisions for such sites to make them responsible for their users' malicious activities. I really don't know what we could do at a legislative level. At a personal level, I just refuse to visit any sites at angelfire, geocities, et al.

    - Greg

    • by fastgood ( 714723 ) on Wednesday July 27, 2005 @06:00PM (#13181097)

      I'd say that the gov't should make these companies provide more authentication

      Or the way privacy is going these days, charge a $0.01 setup fee payable only by credit card.

    • I'd say that the gov't should make these companies provide more authentication, but all it would do is prove a barrier against legitimate users while the criminals would just find a way around.

      Authentication.. how about a 'contract' stating you must actively use your free hosting account for 30days or get a penalty fee. Gives the hosting company a chance to catch up on whos doing what
    • by Jason1729 ( 561790 ) on Wednesday July 27, 2005 @06:01PM (#13181104)
      So you refuse to visit any site at a big name free host.

      That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them. What a dangerous attitude.

      Besides that, there are thousands of free web hosts just because you know the names of 10 or so of the largest doesn't mean you aren't visiting others.

      Even if the majority of dodgy sites are hosted on free sites, the majority of content on free sites can be quite valuable.

      As part of political free speech it should be constitutionally protected that free sites can operate without collecting personal information if they want. If the government forces personal authentication, they can track you if they don't agree with what you say. That will inhibit what legetimate messages you're comfortable posting, and it would be a serious blow to free speech.
      • by Osrin ( 599427 ) * on Wednesday July 27, 2005 @06:06PM (#13181140) Homepage
        That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them.

        Alternately, you're saying that you have no interest in what poor people have to say.
        • An couple of hours at many internet cafes cost more than a year worths of hosting simple html-files on some places..
        • by gbulmash ( 688770 ) * <semi_famous@noSpAM.yahoo.com> on Wednesday July 27, 2005 @06:26PM (#13181295) Homepage Journal
          That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them.

          Alternately, you're saying that you have no interest in what poor people have to say.

          Actually, before these sites became such a wasteland of porn spam and malware, I stopped visiting them because they were some of the worst abusers of pop-ups, pop-unders, and other annoying advertising methods. The growing abuse of these services by spammers and other scum merely cemented my resolve to avoid them.

          Sure, you lose out on some gems, but there is MORE than enough out there in the areas I will visit to compensate for what I'm missing. The amount of interesting information on the Internet increases faster than any one human can keep up with (except for my friend who, after a badly broken leg and 3 months on bedrest, came back to work and said he used all that time to "finish reading the Internet"). If my filters leave out some valuable voices in the free-web-o-sphere, I've still got LOTS of interesting and valuable choices remaining.

          - Greg

        • Alternately, you're saying that you have no interest in what poor people have to say.


          Well yeah. I'd hate to think that somewhere, a guy is working on his "free hosting" webpage instead of getting a job to cover the 7$ a month hosting bill. If they can't figure out how to make just a paltry sum, or have a friend host them, I seriously doubt they have the brainpower to say anything interesting.
        • Alternately, you're saying that you have no interest in what poor people have to say.

          Only here in the US do we consider people who have enough money for a phone, computer, a place to put them all, electricity, and an ISP connection "poor".

          Poor people don't play with computers. They are trying to eat and find a place to live.

      • by kz45 ( 175825 )
        That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them. What a dangerous attitude.

        Besides that, there are thousands of free web hosts just because you know the names of 10 or so of the largest doesn't mean you aren't visiting others.


        honestly, it's not even worth it. The providers of most of these "free web hosting" accounts load each "free" site with popups and advertisements. That alone will make me stay away from tho
      • So you refuse to visit any site at a big name free host.

        That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them. What a dangerous attitude.


        No, he's saying that these tend to be the sites that try to install spyware and such. I stay away from them myself for the very same reasons.

        And if you are too poor to have a web site posted why not post your views on forums or blog comments. It will be seen by more people anyway.
      • That means you're saying people only have a valuable opinion or can provide useful information if they're willing to pay you to listen to them.

        No.

        You're saying that you value your PC safety too much to visit sites in a bad neighbourhood.
    • by fireboy1919 ( 257783 ) <rustyp AT freeshell DOT org> on Wednesday July 27, 2005 @06:06PM (#13181139) Homepage Journal
      I think it's pretty clear that the problem is the same as spam: the opportunity cost is too low.

      There are many, many things that one could do to make it reasonable. You could have them send a $1 bill, or pay a similar trifling amount through an online broker, or even require a waiting period during which content is machine-inspected for scamming.

      I personally use a "free" server that pretty much keeps spam at bay by requiring a $1 bill sent through the mail in order to gain memebership.
    • "Free" web hosting has never been free. I have tried several of them to cut costs for uncoveror.com, and they all fed pop-ups, many of which pushed spyware like gator and bonzi if they were not closed carefully. I would rather pull the plug than do that to readers, so I went to paid hosting. Last time I checked, none of my banner or text ads fed spyware.
    • Other commercial hosts are in no way less susceptible to identity issues than most free sites. Also, consider that commercial web hosts offer more of an attack footprint as they'll allow any random script to be uploaded (or host phpBB, etc). I worked for years and years in a senior technical role at one of the top three web hosts, and it's a very difficult job to ensure security across thousands of Linux and Windows boxes with all the mess that's out there. People that run their own dedicated servers ar
      • The host must bear some responsibility. When my guestbook was being screwed by malware hosted by Everyone's Internet, I didn't want to contact the spammer. The spammer knew exactly what they were doing so why should they do anything. I wanted the host (a seemingly legitimate business) to stop their facilities from being abused.

        Little did I know that I would spend a good few months engaged in a one-way conversation with the host before the spam finally stopped. I strongly believe that in this case, it wasn't
  • Only last so long (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 27, 2005 @05:46PM (#13180971)
    Next thing you know, the malware authors will just host stuff from infected PCs. I'm sure you can run a basic web server pretty easily.
    • by KiloByte ( 825081 )
      Exactly.
      Banning free hosting or requiring registration won't accomplish anything. Of course, this fact won't stop the politicians from throwing another rock against free speech.
    • I would imagine it would take more time and energy than most malware authors and the like would hope to expend. Most infected PCs are using a DHCP lease for their IP address, whereas the free hosting sites allow you to have a static URL for your storage and distribution needs. It's the motivation shared by spammers; expend very little energy, send out tons and tons of spam/malware, and some of it will stick. It's simply not worth the extra effort.
  • Free?! (Score:4, Funny)

    by Anonymous Coward on Wednesday July 27, 2005 @05:47PM (#13180975)
    I've been paying GoDaddy to host my Malware all this time?!
  • by rmccann ( 792082 ) on Wednesday July 27, 2005 @05:49PM (#13180984) Homepage Journal
    Spammers and crackers abusing free internet facilities?! Perish the though.
    • It used to be the freehosts themselves distributing spyware... some still do... visit any free page on 0catch.com for free VX2 betterinternet, epilepsy inducing banners and popups that defeat ANY blocking.
  • by Ohmster ( 843198 ) * on Wednesday July 27, 2005 @05:49PM (#13180995) Homepage Journal
    It's not just fake hosting services with malware and other phishing scams. It's getting so that one gets suspicious of any kind of new service that crops up on the web. The other day, I got excited seeing this service that promised to turn my blog contents into a printed book. I tried it, but then got worried that it was a phishing scam. And cancelled my attempts to use the service. What does mean for the promise of "web services" in general? More on the "blog into book" experience here: ahref=http://mp.blogs.com/mp/2005/07/s_11.htmlrel= url2html-21790 [slashdot.org]http://mp.blogs.com/mp/2005/07/s_11. html>
    • by pentalive ( 449155 ) on Wednesday July 27, 2005 @06:22PM (#13181274) Journal
      This is pretty bad, I was applying for a job - I was contacted by someone who said they were with a large employer here in CA, after some short question and answer they emailed me some forms that I was to print out and fill in, and fax back. Part of the process before any real interviews was a "background check" form. That form had everything an identity theif needs, ssn, old addresses, Jobs, Date of Birth all kinds of thinks. That added to the fact that these people's email address differed from the employer the said they were from.. It turns out that the applications and the Job was on the up and up, but I wonder...
      • by patio11 ( 857072 ) on Wednesday July 27, 2005 @08:28PM (#13182090)
        That would be a NASTY phishing scam.

        "Hello, we are Human Resources Solutions International. One of our clients has contracted with us to process your recent job application. You have the option of either waiting for our letter to arrive via registered mail or entering your data in our secure web server located at https://www.scamyourbuttoff.com./ [www.scamyourbuttoff.com] Please note that your application cannot proceed until we have completed our investigation, so it is in your best interest to respond promptly. Thank you and if you have any questions about your employment process please mail Mary Jo at nevergetareply@scamyourbuttoff.com."

        Fire that off to 100,000 people and I'll bet probably half of the ones actively doing job searching will go to your website without a second thought.

  • Who would have guessed that the shady people who build sites to send their crap around wouldn't want to pay for a legit hosting setup? Profound!
    • Considering that it is in their best interest to make their scams believable, I'm actually surprised that they would refuse to pay for legit hosting. I'm guessing hosting costs are a tiny portion of the profit they expect to make.
      Of course, these idiots who use free web space are probably bottom-of-barrel scum.
    • by superpulpsicle ( 533373 ) on Wednesday July 27, 2005 @05:56PM (#13181052)
      The dilemma is... if they got rid of free hosting. Then only those who can afford $$ monthly hosting bills can host. It's tough to shoot for democracy when only people with money can have a voice online. Let's not tear down the tree and the whole neighborhood due to a couple bad apples.

      • Only people with money can get on-line. The vast majority of blogs and forums out there (Slashdot included) are populated entirely by people wealthy enough to afford an Internet connection of some sort. You don't see working-class people at the library updating their politiblogs because OMG did you see what Koz said this morning about the deficit what a total wonk I am totally trackbacking him right now!!!
        • I know plenty of people who are below the poverty line in the US who are Internet users...
      • You're talking about a barrier to entry that's no more than $10/month. The thing is that that tiny payment, like email, would put the vast majority of jackasses out of business. I personally don't ever visit any sites hosted on free services just for this reason. If what somebody has to say isn't worth the cost of a $10-$15 monthly bill, then I'm not interested.
        • . If what somebody has to say isn't worth the cost of a $10-$15 monthly bill, then I'm not interested.

          I have many, many bookmarks to free sites where some enthusiast has his free software that does exactly what I need, technical guide to some obscure hardware, old TV show, author, etc, etc. If they had to pay to keep it online, most couldn't justify it, or would have to load it up with even more banners, popup etc (though the return on these for a low traffic site won't cover the costs these days).

      • Don't numerous ISPs throw some free web page space, quite often WITHOUT pop-up ads or such ad-related garbage?

        I mean with Comcast and its millions of customers, you get some web page space to hotlink images, etc. Sure, you can't do certain questionable web pages(hacking, porn, etc), but still it is included with the cost of your monthly bill.

        Heck, even AOL has web page space.

        Again, if there's malware being sent out on free web page sites, perhaps its time for them to go.
        • Don't numerous ISPs throw some free web page space, quite often WITHOUT pop-up ads or such ad-related garbage?

          I mean with Comcast and its millions of customers, you get some web page space to hotlink images, etc. Sure, you can't do certain questionable web pages(hacking, porn, etc), but still it is included with the cost of your monthly bill.


          Yes, but this doesn't help those whose Net access is a free library terminal and who use yahoo/hotmail or other free webmail for email.

          Heck, even AOL has web page space
      • This is why the first amendment is more properly phrased like this: You have the right to speak, but you do not have the right to be heard. There is, likewise, no obligation to facilitate the speech of others.

        If it's not feasible to give away web space for free, for whatever reason, it will disappear, the same way free dialup accounts and AllAdvantage disappeared. There is no "they" here, only the collective actions of every ISP and web host in the world. They don't let you on the radio or on TV or in ne
  • by Anakron ( 899671 ) on Wednesday July 27, 2005 @05:51PM (#13181005)
    From TFA:
    They make you type in a word that has been obscured as an image to stop them from being set up automatically

    Does anyone know how effective these schemes really are? Is there a study that measures how effective this is?
    • They make you type in a word that has been obscured as an image to stop them from being set up automatically

      Does anyone know how effective these schemes really are? Is there a study that measures how effective this is?

      The type-in is called a CAPTCHA [wikipedia.org] (an acronym for "completely automated public Turing test to tell computers and humans apart"). They can be fairly effective, but all they do is block robots from setting up an account. If I need 10 accounts, I don't necessarily need to automate it. CAPTCHAs are more often used effectively to block bulk botting stuff like blog spam, signups for free mail accounts, or other services (like whois at Netsol.com or Godaddy.com) prone to abuse and they can work well if well designed. But, again, they're to prevent robots from doing something, not humans.

      Now, as CAPTCHA's get more obscured to try to defeat more sophisticated OCR elements, they become more difficult for humans to read. I recently developed one that I may use on some of my sites that uses identifying the contents of pictures. Demo here [cardsender.net]. Some of the people I've had test it said it was fun and they actually played it like a game.

      - Greg

      • Very nice and interesting idea. Any chance you'll open it up? I don't see it being hard to replicate but I am always a fan of DRY (Don't Repeat Yourself)

        Best of luck.
        • Any chance you'll open it up?

          I've considered opening up the code (it's in PHP), but the photos came out of a clip-art collection, so I wouldn't be able to redistribute them. I'd have to get contributors to provide their photos under GPL.

          The alternative is to provide it as a remotely hosted service, in which case I'm within the bounds of the license on the images, and since I already set it up that way for myself, expanding it wouldn't be tough.

          - Greg

      • by morcheeba ( 260908 ) * on Wednesday July 27, 2005 @06:25PM (#13181286) Journal
        I thought CAPTCHAs would be pretty effective, until I heard of this cool scheme to get around them:

        1. Spammer X wants to sign up for 100 free email accounts at free-accounts-Y.
        2. Spammer X has a small cache of porn.
        3. Spammer X puts up a website to allow access to his porn & promotes it
        4. To see Spammer X's porn, Joe Average must sign up at Spammer X's website.
        5. Signing up involves, you-guessed-it, a CAPTCHA!
        5a. Joe requests to sign up
        5b. Spammer X requests an account at free-accounts-Y and gets a CAPTCHA request.
        5c. Spammer X presents this same request on their website to Joe
        5d. Joe solves the CAPTCHA and returns the info to Spammer X
        5e. Spammer X passes that info to free-accounts-Y
        6. Repeat steps 5a-5e for lots of Joes. Result: lots of email accounts for Spammer X.

        As long as the CAPTCHA is not impossible, people will process them for you for almost free.
      • Spammers simply proxy the CAPTCHA images, and re-present them on their own sites. Users of their sites then process the CAPTCHA for them, and they turn around and use the user's input to register on the original site.

        For example, say compuporn.com wants free geocities accounts. compuporn.com offers free memberships on their site; when Joe Sixpack loads the signup page, compuporn.com runs a script that starts a new registration at geocities.com, and copies the geocities CAPTCA image, presenting it to Joe
        • Your CAPTCHA is not immune to this attack either.

          Never said it was, but as opposed to a "show an image and type its contents" CAPTCHA, it requires a more complex workaround. It would defeat their standard bot and require them to code a new workaround for my specific CAPTCHA. If they did as many do, and followed the path of least resistance, they'd never go to the trouble of defeating my CAPTCHA via remoting.

          My best concept for an unremotable CAPTCHA was one that used motion (like "punch the monkey"),

      • That was a pretty fun CAPTCHA! I am a human, what a relief. May I suggest that if you end up rolling this out that you make a way for blind people to do it also, like maybe they can e-mail you for access. Although since you were so informative about CAPTCHAs, you probably already had something in mind for blind people.
      • by Anonymous Coward
        Now, as CAPTCHA's get more obscured to try to defeat more sophisticated OCR elements, they become more difficult for humans to read. I recently developed one that I may use on some of my sites that uses identifying the contents of pictures. Demo here. Some of the people I've had test it said it was fun and they actually played it like a game.

        Sorry to burst your bubble there, but when I have no javascript enabled, all I get is a "Tell me if I'm human" button. I clicked on it and your script tells me I'm huma
      • The problem with your captcha is that you are passing an easily cracked hash of the answer along with the script as a hidden form element.

        Recommendations:
        A. Your hash appears to not be very random (for solutions beginning with 32xxx the first two bytes of the hash are identical). What you need is a hash function that hashes the entire thing to produce all the bits of the hash.
        B. Don't send out the answer in a computer readable form -- hashed or not. It just makes it too darn easy.
    • Well, according to this [w3.org], they might even be TOO effective...
      That may not be the exact answer you were looking for, though.
  • wondering... (Score:4, Interesting)

    by eobanb ( 823187 ) on Wednesday July 27, 2005 @05:52PM (#13181020) Homepage
    I was wondering, how do these people typically register accounts with free web services? Our site was having a problem with comment spam, so a CAPTCHA test tends to do the trick basically all the time. On the other hand, I've also heard about defeating the test by starting a porn site and then taking the image and showing it to visitors and basically just having them type the right answer and they get to see 10 pictures or something. What we ended up doing was a word riddle, like "The quick brown fox jumped over the lazy ___s" or "3 + 5 = _" So if automated registering of these accounts is a problem, that's what I would suggest. Or you could surely just prohibit any files with a .bat or .exe or .whatever extension, and only allow .html, .gif, .jpg, .png, .wav, .txt, and a few more. I mean, if it's a free service, you get what you pay for. If you really need to host programs it shouldn't be too much trouble for you to buy something for $5/month. All in all this doesn't really seem like that outrageous of a problem.
    • Well even with riddles, you can still get real human beings to do your riddle solving for you in exchange for a few porn pictures. Reminds me of Pavlov's dog.
    • On the other hand, I've also heard about defeating the test by starting a porn site and then taking the image and showing it to visitors and basically just having them type the right answer and they get to see 10 pictures or something. What we ended up doing was a word riddle, like "The quick brown fox jumped over the lazy ___s" or "3 + 5 = _"

      Even then, porn spammers can just show the question to users and get them to answer it. If someone is dedicated enough, they can remote any captcha to a human. Th

  • HTF can you expect anything different?

    Mod article +5 Duh.
  • by Anonymous Coward on Wednesday July 27, 2005 @06:03PM (#13181120)
    Calling them a "Security" firm is whitewashing who they really are.

    read the article on Censorware [censorware.net].
  • by torpor ( 458 )
    this is why its so important to recognize the unique sociological challenge of the URL.

    it is a namespace. thus, portions of it will be a BRAND space.

    either people recognize when they are culting, or they don't. times that they do, are often predicated on the formulation of identity.

    the URL is a human blank page. if you don't know the URL, don't go there...
  • The "security" frim websense is actually a censorship firm. For examples of their work, you can read maddox's little article on them. [thebestpag...iverse.net]
  • Duh, if nobody wants your product, you probably can't afford to host it anywhere reputable.

    If you could, people would just not go there anyway.

    Nobody says, "Hey, lets all go to BonziBuddy.com!"
  • I would think it possible for a free hosting site to run some sort of scan over pages as they are uploaded just to see that they are plain old HTML. Maybe even disallow links to financial institutions (to prevent some obvious phishing). Disallow CGI and form elements until the pages have been reviewed by a human.
  • by __aaclcg7560 ( 824291 ) on Wednesday July 27, 2005 @06:41PM (#13181395)
    Researchers have discovered that the Microsoft Windows operating system (all flavors) has been hosting spyware, virus and other malicious crap that comes off the Internet and spreads it to other computers attached to the same LAN at a faster rate than any other time in the last 10 years. Microsoft released a statement saying that Windows does it better than Linux and encouraged all users to immediately upgrade to Windows Vista. :P
  • by Anonymous Coward on Wednesday July 27, 2005 @06:42PM (#13181403)
    John Leyden at The Register [theregister.co.uk] has a slightly different take [theregister.co.uk] on this story. Essentially Websense is a company trying desperately to sell its "security products" through a campaign of FUD and blatantly obvious "alerts". I think most people here see this as the latter, while most of Websense's target audience probably fall into the former target audience.
  • "These fraudulent, free personal Web sites have an average lifespan of two to four days, making them difficult to trace," said an executive from the company."

    Well, of course all the fraudulent ones are going to have a quick turnover! It's not like Websense doesn't have anything to sell here. Nooooooo.
  • In other news, the "internet" has been found to be a fount of malware...
  • There's hosting that's free as in beer, and hosting that's free as in speech. While I know you can easily find that I've argued that free as in beer is often the more important factor, many times people over look free as in speech.

    Free hosting, in promoting both free's, does a great job. Unfortunately, it just takes a couple bastards to ruin it for everyone else.

    Free as in speech hosting is different. The key here is to not charge too much, and to put in place your hosting policies to afford as muc

This is now. Later is later.

Working...