Is There Anything That Security Companies Won’t Try to Mislead People About?

From dealing in security for years we have become somewhat inured with a lot of the bad behavior going on, but one area where it is still surprising how bad things are is the level of dishonesty and often outright lies told by security companies. Considering that trust is an important part of security, it would seem like security companies would be careful when it comes to that type of thing, but from what we have seen that isn’t the case. That certainly isn’t helped by the public’s willingness to ignore and to some times defend companies that engage in that type of behavior.

While in some cases security companies lie about things that it would be hard for the public to check for themselves, in other instances the claims are easily checked, so it seems like at this point that companies may feel they can mislead and lie with impunity.

We recently came across an example of this from a company named Quttera. Back in March they had a blog post titled “Quttera WordPress Malware Scanner: 400K Installations and Counting” with this graphic at the top of the post:

Having 400,000 installations would make the plugin one the most popular WordPress plugins, so that would be impressive.

WordPress prominently displays how many active installations that plugins in its Plugin Directory have, so it wouldn’t be hard for anyone to check to see if that is true.

What anyone doing that would find though is that the plugin only currently has 10,000+ active installs:

So what is going on here? Well the first sentence of the Quttera’s post explains it somewhat:

A few days ago, the download counter of the WordPress Malware Scanner plugin passed 400K installations–and with good reason.

They are conflating downloads and installations. Considering that WordPress provides both installation and downloads stats that seems hard to provide an innocent explanation for doing, but it is more problematic when you know what is counted as a download. WordPress counts each time an installed plugin is updated to a new version as a download. That is important here because the number of active installations might not give a complete picture if a lot of people installed a plugin, used it successfully, and then removed because it wasn’t needed after that. If that were the case with this plugin the chart of downloads would look very different than it does.

As you can see the chart shows frequent spikes of downloads and then sharp drop offs:

Those spikes are when new versions are released. When you are releasing new versions every three or four days that can lead to a lot of downloads, as is the case with this plugin. Quttera would like you believe otherwise as the first paragraph of their post shows:

A few days ago, the download counter of the WordPress Malware Scanner plugin passed 400K installations–and with good reason. This incredible plugin has a number of key advantages that have helped many of our customers build their websites and create the amazing online communities they’ve hoped for.

While this in its self doesn’t really matter that much, it does give you an indication that this company might not be the most reputable company.

In a quick check we found that their plugin is itself insecure due to failure to do some basic security, which doesn’t seem like a good indication of their concern for security. We will be disclosing the details of that over through our Plugin Vulnerabilities service, once Quttera has had a chance to fix that.

What we noticed that seems more relevant when it comes to trust is something we noticed we went to look at the details of the service they offer. The service is prominently marketed as involving malware cleanup:

They also claim to offer a “30 days money back guaranteed.”:

Though like another security company we discussed recently they hide an important detail of that policy on another page. That being that there is no refund if you have had a cleanup done:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the Cancellation Period), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not utilized malware removal services during the Cancellation Period.

To us that seems like a detail that should prominently mentioned when promoting the guarantee since we would assume that many of their customers would be coming for a cleanup and so they should know that the cleanup isn’t backed up with any guarantee (especially since so often we see security companies failing to properly clean up hacked websites, so a refund would be warranted after a cleanup was done). It seems like they could have disclosed that in the same amount of words that it took to mention that the details of the policy are on another page.