Phishing for Free Software
I wanted to view the Wikipedia article on OpenOffice recently, so I googled ‘openoffice’, correctly assuming that the link I was looking for would be near the top of the results. While doing this, I noticed that a Google query for OpenOffice also turns up a couple of paid ‘sponsored links’ on the right side of the screen leading to websites offering dubious downloads of what purports to be OpenOffice, or something close to it. Here’s a screenshot:
Both sites prompt users to enter contact information (including a home address on one) in order to download OpenOffice (or have a CD with OpenOffice supposedly shipped to them for free…right). It’s hard to think of valid reasons for needing that information–the real openoffice.org site doesn’t care who downloads its software.
Moreover, while there’s a possibility that the downloads offered via these Google ads are perfectly innocent, I wouldn’t be surprised to find some malware packed in.
Also of interest is the fact that removing browser and operating-system information from the Google search URL (i.e., cutting out this bit: &rls=com.ubuntu:en-US:unofficial&client=firefox-a) yields more results under ‘sponsered links’–as if some of these ad purchasers were smart enough not to waste their money trying to push bogus OpenOffice downloads on Linux users who most likely already have it.
Curious, I googled other major free-software products to see what came up. In most cases there was nothing noteworthy, probably because all but the most prominent open-source applications lack the kind of user-base that’s likely to fall victim to schemes like this.
Firefox was the one exception. A Google search for it reveals an ad linking to the less-than-legitimate-sounding domain FireFox2009.genecards.org–where, again, users are asked to enter personal information before downloading what purports to be Firefox.
Interestingly non-free software doesn’t seem to be subject to such attempts to hijack legitimate distribution points. Googling ‘internet explorer’, for example, turns up some ads for software that I’d never touch, but most of them offer merely to ‘fix Internet Explorer’, not to supply the software itself. A query for ‘skype’ returns no ads. ‘word’ yields some results that might be suspicious, but they’re below ads linking to sites owned by Microsoft itself.
User incompetence, or consumer ignorance?
The foremost reason that this is a successful strategy for phishers and their ilk, of course, is user inexperience. Geeks might pay attention to the URL in the address bar of their web browser, but ordinary people don’t. If your grandmother wants to download OpenOffice, she’s probably going to click the first link that catches her eye, whether it’s to openoffice.org or something less authentic.
At the same time, I wonder if a lack of strong branding on the part of open-source software contributes to this vulnerability. Microsoft enjoys a big name and a host of phrases and images that consumers have been taught to associate with legitimate Microsoft software. OpenOffice and (to a lesser extent) Firefox lack these attributes, especially among people unfamiliar with the free-software world.
The fact that a company like Microsoft is better positioned to sue these phishers into submission is probably also a factor in its relative immunity from such attacks. At the same time, this raises the larger issue of whether free-software projects, or at least the most prominent ones, need to publicize themselves better not only to attract new users but to protect potential ones from phishing attacks.
Of course, that’s much easier said than done–most free-software teams have little cash to spend on ad campaigns–but it’s an issue that needs to be considered at some point if Linux and the software that makes it useful really want to take over the desktops of the world.