Google has added a new security feature to its search engine that promises to increase the number of Web page results that are flagged as potentially having been compromised by hackers.
The move is an expansion of a program Google has had in place for years, which appends a "This site may harm your computer" link in search results for sites that Google has determined are hosting malicious software. The new notation – a warning that reads "This site may be compromised" – is designed to include pages that may not be malicious but which indicate that the site might not be completely under the control of the legitimate site owner — such as when spammers inject invisible links or redirects to pharmacy Web sites.
Google also will be singling out sites that have had pages quietly added by phishers. While spam usually is routed through hacked personal computers, phishing Web pages most often are added to hacked, legitimate sites: The Anti-Phishing Working Group, an industry consortium, estimates that between 75 and 80 percent of phishing sites are legitimate sites that have been hacked and seeded with phishing kits designed to mimic established e-commerce and banking sites.
It will be interesting to see if Google can speed up the process of re-vetting sites that were flagged as compromised, once they have been cleaned up by the site owners. In years past, many people who have had their sites flagged by Google for malware infections have complained that the search results warnings persist for weeks after sites have been scrubbed.
Denis Sinegubko, founder and developer at Unmask Parasites, said Google has a lot of room for improvement on this front.
"They know about it, and probably work internally on the improvements but they don't disclose such info," Sinegubko said. "This process is tricky. In some cases it may be very fast. But in others it may take unreasonably long. It uses the same form for reconsideration requests, but [Google says] it should be faster…less than two weeks for normal reconsideration requests."
But Maxim Weinstein, executive director of StopBadware, an independent non-profit anti-malware organization, said if Google delays de-listing a flagged site, it is usually because the site's owner hasn't fully eliminated the problem that caused the alert, or that site owner has skipped a step in Google's reconsideration process.
"If someone doesn't know to request a review, it can be a while before Google's system will on its own rescan the site and remove the warning," Weinstein said.
Google says it will be rolling out the new system slowly. As a result, not all of the sites that deserve to be flagged as compromised are listed that way yet.
"For example, 90 percent of search results for this search should be labeled as 'compromised,' but I don't see any warnings," Sinegubko said.
Web site administrators who find their pages flagged with "this site may harm your computer" warnings can get relatively speedy assistance at Badwarebusters.org, which maintains a fairly active and responsive help forum. Google also has a Webmaster Help Forum that includes amalware and hacked sites section, which already contains a few interesting threads about this new warning system. In one thread, John Mueller, a Webmaster trends analyst with Google Zurich, sheds a bit more light on the alert and cleanup process.
"As mentioned by the others, this is triggered when we determine that your site has likely been compromised by an unauthorized third party. Once it's shown that this is possible, it's hard to predict what else may have been modified. For instance, it might be that in addition to hidden links, someone has changed the phone number or is redirecting orders to the wrong website — everything is possible once third parties are able to modify a website.""Once you've reverted the compromise and – hopefully – taken steps to prevent this from happening again, you can submit a normal reconsideration request through Webmaster Tools. These requests are processed fairly quickly (usually within a day, though it's not possible to give an exact timeframe)."
