Google: Our harsh malware warnings actually do work

Google has run the numbers on warning people off hijacked websites and says the data supports its seemingly “punitive" measure that publicly shames website operators before telling them of a breach.

Malvertising seems to be the most popular way of infecting computers these days, but actually hacking a website to spread malware remains a sizeable threat for end-users.

Google doesn’t want people to stop using search due to the risk of stumbling on malware. Equally it doesn’t want to stress the people who run sites that its users rely on Google to find.

Yet hundreds of thousands of websites built on WordPress, Joomla, and Drupal are co-opted to spread malware each year, often through exploit kits that dragnet for computers to be recruited into a network of controlled machines.


Google can't stop websites from becoming infected but it can cut down on the time it takes to remediate a vulnerability that exposes site visitors to malware by informing operators of a compromise.

The question that Google asks in a new paper is which method of notification is best and the results suggest that registering with Google's Search Console, which allows it to send notifications directly to a website operator, is the quickest way of getting operators to fix flaws.

If a website has been hijacked, Google has three ways of informing its operator. Full page browser warnings for end-users -- called "interstitials" -- in Chrome, Firefox and Safari, triggered by Google's Safe Browsing technology. There is also Search Quality, which alert Google Search users to potentially compromised sites in results. The third is emailing an operator, either using WHOIS contact information or information for those who've registered with Search Console.

As Google highlights, user-centric warnings can come across as "punitive" to a website operator whose site has been shamed before they’ve had a chance to remediate the flaw that allowed it to be compromised in the first instance.


But based on the results of an assessment of 760,935 websites that Google deemed had been hijacked over a year from July 2014, the web would be less secure without the interstitials.


“We observe that direct communication with webmasters increases the likelihood of cleanup by over 50% and reduces infection lengths by at least 62%. Absent this open channel for communication, we find browser interstitials—while intended to alert visitors to potentially harmful content—correlate with faster remediation,” the researchers wrote.

In other words, Google’s system, harsh as it may seem, does produce positive results and is even more effective when website operators register with its Search Console.

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.

Start Survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags malvertisingWordpresssearch enginesafaridrupalmalwarechromeFirefoxmalware detectionJoomla!Googlewhoisbrowser

More about GoogleVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts