Symantec scores own goal: its World Cup web site is full of spam comments - Update

Want a handbag? This shop's domain is hosted by spammer-friendly registrar Xin net. In a press release, Symantec announced its new web site for the football World Cup in South Africa, 2010NetThreats, and that announcement turned out to be a bad idea. Under almost every security tip published, there are comments from spammers with links for purses, T-shirts, metal parts, hotels, sport shoes, and other dubious sales offers. Distributed via comment spam, the links appear to all lead to more or less harmless online shops, but it would be easy for spammers to put in links leading to servers infected with malware.

This comment spam is possible because Symantec did not implement all of the usual security mechanisms for the comment functionality on a site. To post a comment on the Symantec site, you do not need to register and it does not require completing a CAPTCHA. In light of the security functions that professional Content Management Systems (CMS) such as WordPress already include, Symantec is being astonishingly lax here when it comes to the security of its Web users. Symantec does not even change posted URLs as proposed by Google; this process involves the CMS adding an attribute (rel="nofollow") to URLs posted in comments. Without the attribute added, search engines index spam links which in turn increases their relevance on the search engines.

The superficiality of the tips published at 2010NetThreats suggests that Symantec is probably targeting less technically savvy web users. Yet, such users are likely to be the least familiar with how the cyber underground works – and are therefore most prone to becoming victims of spammers by innocently clicking on links in comments. In other words, Symantec is undermining the legitimacy of its otherwise praiseworthy web project.

Update: Symantec has now deleted all the comments on blog entries, and disabled the comment function.

(Uli Ries)

(djwm)