One of the most common complaints we get is when a webmeister or user thinks we're unjustly accusing a website of being evil, and, without sounding immodest about it, we're usually right. The way LinkScanner works is that it makes its evaluations in real time ... it looks at the code as it comes off the webpage, and decides if things are dangerous or not. That's as opposed to those systems that rely on a central database, which is usually too slow to realize that something is dirty, and then too slow to realize it's been cleaned up.
A typical example is the fake Yahoo counter that looks like this ...
That's the source of a typically hacked page. You see the bit about "Yahoo counter starts" ? Guess what... it's _lying_! It actually decrypts to an iframe link to an exploit site, but you wouldn't believe the number of conversations I've had that go like this...
Ring, ring... me, "Hello, could I speak to your webmeister please?"
Shuffle, shuffle, switching thru ... webmeister, "Hello?"
me, "Hi, I'm sorry to have to tell you this, but I'm a security researcher, and I have to tell you that your website has been hacked."
webmeister, "Sorry... what ... who is this?"
and then we have many chats about who I am, and how I know, and eventually it gets to the point where they say "Show me", so I show them the code on their page, and they say "But it's a Yahoo counter!"
and I say "Did you put it in?", and they say, "Well, no, but one of the other guys must have"
Sometimes they believe me, but mostly they don't.
Here's the bottom line folks. I have yet to see a genuine Yahoo counter. They may exist, but they sure don't look like that, so if you're a webmeister with code like that in your pages, please delete it. Unless you put it there, it's fake.
Btw, to be notified of blog updates, plus little extra bits that don't make it to the blog, please follow me on twitter