Phishing for Free Software
I wanted to view the Wikipedia article on OpenOffice recently, so I googled ‘openoffice’, correctly assuming that the link I was looking for would be near the top of the results. While doing this, I noticed that a Google query for OpenOffice also turns up a couple of paid ‘sponsored links’ on the right side of the screen leading to websites offering dubious downloads of what purports to be OpenOffice, or something close to it. Here’s a screenshot:
Both sites prompt users to enter contact information (including a home address on one) in order to download OpenOffice (or have a CD with OpenOffice supposedly shipped to them for free…right). It’s hard to think of valid reasons for needing that information–the real openoffice.org site doesn’t care who downloads its software.
Moreover, while there’s a possibility that the downloads offered via these Google ads are perfectly innocent, I wouldn’t be surprised to find some malware packed in.
Also of interest is the fact that removing browser and operating-system information from the Google search URL (i.e., cutting out this bit: &rls=com.ubuntu:en-US:unofficial&client=firefox-a) yields more results under ‘sponsered links’–as if some of these ad purchasers were smart enough not to waste their money trying to push bogus OpenOffice downloads on Linux users who most likely already have it.
Curious, I googled other major free-software products to see what came up. In most cases there was nothing noteworthy, probably because all but the most prominent open-source applications lack the kind of user-base that’s likely to fall victim to schemes like this.
Firefox was the one exception. A Google search for it reveals an ad linking to the less-than-legitimate-sounding domain FireFox2009.genecards.org–where, again, users are asked to enter personal information before downloading what purports to be Firefox.
Interestingly non-free software doesn’t seem to be subject to such attempts to hijack legitimate distribution points. Googling ‘internet explorer’, for example, turns up some ads for software that I’d never touch, but most of them offer merely to ‘fix Internet Explorer’, not to supply the software itself. A query for ‘skype’ returns no ads. ‘word’ yields some results that might be suspicious, but they’re below ads linking to sites owned by Microsoft itself.
User incompetence, or consumer ignorance?
The foremost reason that this is a successful strategy for phishers and their ilk, of course, is user inexperience. Geeks might pay attention to the URL in the address bar of their web browser, but ordinary people don’t. If your grandmother wants to download OpenOffice, she’s probably going to click the first link that catches her eye, whether it’s to openoffice.org or something less authentic.
At the same time, I wonder if a lack of strong branding on the part of open-source software contributes to this vulnerability. Microsoft enjoys a big name and a host of phrases and images that consumers have been taught to associate with legitimate Microsoft software. OpenOffice and (to a lesser extent) Firefox lack these attributes, especially among people unfamiliar with the free-software world.
The fact that a company like Microsoft is better positioned to sue these phishers into submission is probably also a factor in its relative immunity from such attacks. At the same time, this raises the larger issue of whether free-software projects, or at least the most prominent ones, need to publicize themselves better not only to attract new users but to protect potential ones from phishing attacks.
Of course, that’s much easier said than done–most free-software teams have little cash to spend on ad campaigns–but it’s an issue that needs to be considered at some point if Linux and the software that makes it useful really want to take over the desktops of the world.
WorksWithU is updated multiple times per week. Don’t miss a single post. Sign up for our RSS and Twitter feeds (available now) and newsletter (coming in 2009).
I googled too, and both take you to the same website. The only way I could download these FREE suites, was to pay for a membership which gives me support. Can you imagine giving out credit card information to these guys? Bottom line, Google should remove these types of so-called sponsors!
Very scary! To think that there are probably people out there who went through those sites to get OpenOffice, and are now cursing the open source developers for their underhanded tricks. I wonder if a certain Redmond, WA based business may be using this as a method of stacking the deck?
Some underhanded junk to be sure, but it is to be expected. I would think that Google could watch their paid ads a little more closely though.
This is one case where Mozilla’s trademarks do come in handy. Trademark violations can be reported in Bugzilla.
https://bugzilla.mozilla.org/buglist.cgi?component=Trademark+Violations
There are now 3 “Sponsored Links”. Each has a different homepage, but all take you through the same process of paying for support before you can download OpenOffice.
Doesn’t Google have a phising black list? Report it.
aikiwolfie, mpt, Dan: although I think it does qualify as phishing, I suspect that this kind of stuff is not actually illegal–selling OpenOffice or collecting information from people downloading it doesn’t violate the GPL as far as I understand it.
With enough money and lawyers, you could probably find some legal basis for forcing Google to shut these people down, but unfortunately the free-software community is short on both cash and legal counsel.
I think that the only real response available is to increase public awareness of OpenOffice, etc. so that people would not fall for this stuff.
Yep, i agree you cant beat fre software… you just need to find it
Free Office Download
Open Officehellip; The FREE Office Suite
The Opennbsp;Office suite that looks similarnbsp;to the well known Microsoft Office Suite.
Open Office is compatible with Microsoft Office documents (e.g. Word, Excel, Access)
Try It, Use Open Office For FREE!