Scammers masquerading their malware as genuine open source downloads may finally face a new challenge finding Windows users to victimize.
At the end of April, Google quietly changed its rules for advertisers who link to software. In the process, the search giant has accidentally helped reduce fraudulent abuse of open source software.
It's about time. Search results for top open source projects have long been littered with tempting and deceptive ads that look like links to the project but actually lead to abusive fraud schemes and malware downloads, usually targeting Windows users.
The Apache Software Foundation, whose OpenOffice project is one of the most frequently abused trademarks in these scams, has a description of some of the ways the scams work. Many projects have called on Google to do something about the abusive fake advertising of their downloads, but it's generally fallen on deaf ears.
Abuse of popular trademarks like this is an issue for all software suppliers, but it's especially problematic for open source projects that have broad brand recognition, like Firefox, VLC, and OpenOffice. Anthonia Ghalamkarizadeh of Mozilla's law firm Hogan Lovells told me, "Mozilla is regularly receiving reports through its online abuse reporting system from users. Most users won't be able to tell, or won't notice, that the download is not for the original version, but either for one with modified default settings (such as different home page and different inbuilt search engine features) or comes bundled with unwanted third party software." Mozilla has substantial resources to fight the problem and actively pursues violators, to the point of successful court action.
The problem faced by media player VLC is even worse. Using publicly available source code, the scammers build binaries that insert adware (or even malware) into Windows systems. They then place advertisements using keywords like "VLC" and "Videolan" as well as the names of various hard-to-view video formats, so people searching for a way to view a (perhaps illegitimately obtained) video are deceived into downloading the Trojan-infected rebuild of VLC.
Jean-Baptiste Kempf of Videolan told me, "We continuously fight scams of VLC repackaged with adware/spyware. They are extremely difficult to take down, since the hosts, especially people like Softlayer, do everything they can to avoid it claiming it's not malware, but something 'that the user wants'."
Most other open source projects lack the resources to seriously challenge their trademark abusers. Apache OpenOffice, for example, regularly receives reports on its mailing lists, not least related to suspect advertising colocated with its own official downloads on SourceForge (the project's leaders declined to comment for this article). Every project of any significance with a Windows version experiences it. The best way to fix this would be to cut off the air supply to the scammers and prevent them advertising nongenuine downloads.
Until now, Google has been reluctant to comment on any concrete steps it takes to address this class of fraud. But its rule change, reported to advertisers last week, may finally put a foot on the scammers' air hose. The new rules disallow "promotion of free desktop software, unless the ad includes the name of the specific software being promoted and leads to the authoritative online distribution source for the software. The authoritative source must not have a history or reputation of policy violations." I asked Google if this change was intended to protect projects like Mozilla and VLC, but it indicated that the new policy is merely intended to protect Google from ad-injection malware that devalues the advertising market.
All the same, preventing advertisers pointing at unofficial downloads could finally be good news for many open source projects struggling against a sea of cynical scammers to protect their good name. Ghalamkarizadeh told me, "This is a very welcome development." Kempf was a little more guarded, saying, "We really welcome this new policy, but we're waiting for facts."
As this policy evolves, perhaps Google will consider consulting the open source community.