We received a frantic phone call from a client on Wednesday. We had done a site review as a favor a while back and they've been friends of the company for a very long time. The conversation went something like this:

Client: Our web store has been hacked! McAfee Site Advisor says we have malware, spyware, and viruses on our site!

Me: Really? That doesn't seem possible since you've got a Yahoo Store. And you've got the HackerSafe service checking your server every day. It hasn't complained, has it?

Client: No, but our sales have dropped to nothing today. And the warning from McAfee wasn't on our site yesterday.

Have You Been Hacked?

My first thought was "Uh oh, they've been hacked. I hope they have good backups." Then it dawned on me -- McAfee site advisor would be showing their warning on the search engine listing, not on the actual store site. Since we don't have that installed anywhere around here, I had the client email me some screen shots so I could see what was going on

Here's a Google search for Marie Sharp's Hot Sauce, a fairly popular product. The top three results in the product search have a yellow circle with an explanation point to signify a warning for those sites. That's mighty odd that both the client and their competitors results would show a warning. But it gets worse. Clicking on that warning icon shows this bad news:

Who are These People?

Our client explained to me that they had never heard of any of the users that supposedly were reviewing their site. I know they kill themselves over customer service, so the horror stories being told in the McAfee Site Advisor reviews just didn't make sense. I also happen to know that they don't spam, and I was very doubtful that they had been hacked and were distributing malware, spyware, or viruses.

So I clicked on the competitor's link. The same results. Not a different set of bad stories, but the exact results for the competitor as the client. Then the lightbulb went off. McAfee had made a mistake of monumental proportions.

McAfee had rated all of YAHOO.NET as dangerous.

Supreme Incompetence

Yahoo Stores can be hosted on a subdomain of yahoo.net. Their url looks like storename.stores.yahoo.net. I've heard there are over 100K stores using the Yahoo service. It's a lot of stores. And McAfee had taken a few complaints from a couple of specific stores and applied them to every store in the Yahoo store system. A quick google site search on a product category proved my hypothesis:

Yep, 31,000 results for a site search on cameras in the yahoo store system and McAfee marked every single one of them with a warning.

The level of apparent incompetence and recklessness on the part of McAfee is hard to believe. They are wrongly telling their users that these sites are dangerous, when it is completely untrue. The warning shows up right next to the Google result for that store. If you read the fine print you can see that they're talking about yahoo.net, but frankly most potential customers don't read the fine print. It's been 2 days now and our client has seen a dramatic drop off in sales. They're really being hurt by this.

It's the Little Guy That Gets Hurt

The client has contacted Yahoo support, who says they're working on it. The behavior started Tuesday afternoon after the earthquake, so perhaps that's related to it. I can imagine a situation where they rebooted some servers and forgot to apply a patch and now they're giving out wrong information. But frankly, this sure looks like libel by software. They're accusing people in a very public way of being spammers and distributors of malware and adware. And they're wrongly attributing customer complaints to that company.

Interestingly enough, the McAfee Site Advisor software only modified the google search results. Yahoo has a partnership with them to render the results from Yahoo instead of in the browser, and not surprisingly Yahoo isn't telling people that Yahoo.net is a supplier of malware and adware, run by spammers. So it's only killing 80% of the Yahoo Store's business since most of their search traffic comes from Google.

McAfee needs to fix this mistake, and fast. Otherwise they might find themselves with a pretty hefty legal liability from a lot of Yahoo store owners. And Yahoo needs to wake up and push McAfee to do it, because this is impacting the percentage they get from their Yahoo stores.