Saturday, October 10, 2009

Is Comcast Helping Scammers?

Comcast wants to fight scammers, but they're inadvertently going to help them.

Comcast, like all Internet service providers, is directly impacted by so-called botnets, machines that have been hijacked by viruses and other malware to serve as robots in the service of scammers. The botnets are useful to the scammers because it allows them to send spam and launch attacks from many locations instead of a single location, which makes them much harder to catch and shut down.

Comcast's idea is to inflict popup ads on their customers that appear to be compromised. which provide them with information. According the the AP article, the ad says "Comcast has detected that there may be a virus on your computer(s). For information on how to clean your computer(s), please visit the Comcast Anti-Virus Center."

There are a couple of problems with this:

  • To the extent that it works, it trains people that popup ads that claim to be helping you clean your computer are legitimate. The problem is that, with this sole exception, none of them are.
  • It trains people that clicking on a link in an unexpected popup ad is an ok thing to do, when it almost never is.
  • It trains people that something like this can be trusted, when it's very easy to fake it.
I don't like the popup in any event, but, if they're going to do it, I think there are a couple of things they must do:
  • The popup shouldn't look at all like an ad and it certainly shouldn't mimic any OS feature.
  • The popup should contain no (that's zero) links in it. Just to be clear: None. Instead, the ad should say "... please visit in your browser and click on the xyz link ..." Train people not to click on links like that and train people that the only way to know for sure that they're actually on the comcast site is to go to comcast themselves, not to trust a link.
  • The popup should not have any button in it. No close button. Nothing to click on at all. Just "Close this window after you've read it." Don't train people to click buttons in unexpected popups.
And how about thinking if there's a better way to attack the whole problem, like doing something in concert with Microsoft and Apple (OS vendors), or Microsoft, Mozilla, and Google (browser vendors).