Google Detects 9500 Malicious Sites Per Day

An anonymous reader writes "Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users, as well as those searching for content through the company's eponymous search engine. According to Google Security Team member Niels Provos, the program detects about 9,500 new malicious websites and pops up several million warnings every day to Internet users. Once a site has been cleaned up, the warning is lifted. They provide malware warnings for about 300 thousand downloads per day through their download protection service for Chrome."

How accurate is this?

[Quakeulf]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

Re:How accurate is this?

[The+MAZZTer]

Well for starters it's open source so you can see for yourself.

Re:How accurate is this?

Open Source means people CAN look at the code, not that they WILL.

Re:How accurate is this?

[swillden]

Well for starters it's open source so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Re:How accurate is this?

[swillden]

Well for starters it's open source so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

Re:How accurate is this?

[swillden]

Well for starters it's open source so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

Er, I guess I should have read the code at the link you provided before correcting myself... since it appears that it does indeed connect to "safe browser servers" at Google.

I think I'll just shut up now, even if further perusal shows this comment to be wrong as well.

Re:How accurate is this?

[Mashiki]

Accuracy can be hit or miss. A lot of people in the translation communty use tools like chiitrans, chiitrans2, Translation Aggregator(TA) and agth. Google reguarlly flags sites with these as malware and specifically mentions these as malware, when they're no such thing. They also regularly flag mentions of RPG maker 2k(JP) as malware. To me it seems more like the engine is looking for anything that injects or hooks, which chiitrans, TA and agth do. Or non-standard character sets which the old RPG maker is. It uses the old non-ISO language flags. Newer versions like RPG Maker VX Ace do everything properly.

Re:How accurate is this?

[Billly+Gates]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

Well according to one user named AnonymousCoward it has to use MyCleanCP(spelling). He went on saying it was the only one that would work.

Re:How accurate is this?

[Let's+All+Be+Chinese]

The plural of anecdote is not data. Since anecdote is all I have to offer, here goes: I occasionally run into its malware warnings, most, in fact all in recent memory, for some site I know for a fact has no ill intentions, though malicious adverts might always slip through, of course. What irks me most about those warnings isn't even the indiscriminate false positives, but much more the lack of detail as to just what was found to be suspicious. I for me would be much safer knowing exactly what the problem was, than having to go on vague threat warnings, that might easily be outdated to boot.

Re:How accurate is this?

[Johann+Lau]

LOL? Well for starters that's the client side stuff. And this gets derped up to +5 informative? Holy crap haha.... if your comment was tongue in cheek, I salute you. Otherwise, let me just slowly back up and then run like fuck.

Re:How accurate is this?

[LifesABeach]

I'm just curious, but did Google detect any web sites that stroll through any city collecting information off wireless routers?

Re:How accurate is this?

[hairyfeet]

Uhhh...all that is is the client connect code friend, have Google released the code they run on their own servers? last i checked that was a big NO so who the hell knows what is going on there. Frankly with as much data as Google gathers already and the changes in the privacy policy I'd be leery of sending that company, or any other for that matter, every single website i visit so they can "check it" for me. That is what i had an AV that scans before load and a sandboxed browser for anyway.

I do find it quite fascinating how there seems to be this kind of...disconnect for want of a better word, when it comes to Google. If oracle or MSFT or Apple or frankly any other company i can think of said 'yeah just send us every single link you ever click on and we'll check them for you, for your own protection of course" a good 90% of the comments would be geeks screaming and ranting like somebody set their kitty on fire, but Google? never even enters their mind, kinda like how Apple is treated as these anti-corporate hipsters because they have John Lennon posters in the Apple stores.

I just find it quite strange, this disconnect between reality and slogan. i frankly don't trust ANY corporation, not Google or Apple, not MSFT or Oracle, because i know EVERY SINGLE ONE if given the choice between having their profits go up 15% this quarter by throwing me in a cage with an enraged silverback with a club or not getting the paycheck would be "Batter up Bobo!", hell they'd probably find a way to market it, maybe T-shirts or hats or something. It just seems weird to me that so many seem to have this whole "corporate yay!" thing just because somebody in some corp said something or did something they like.

Re:How accurate is this?

[gmanterry]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

I just put one of my domains online yesterday. It's OK now but the first couple of time I tried to access it I got one of those "This site could be dangerous to your computer" banners. I wonder if Google needs to crawl the site before it blesses it as safe.

Re:How accurate is this?

[Fastolfe]

Please read a little deeper:

https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign

Because it would be both inefficient and privacy-invasive to send every URL that is loaded to a server to do this check, the SafeBrowsing protocol takes the approach of downloading this data to the client. Every few minutes, the client will perform an update request to get new blacklist data from the server. This process is described in more detail under Update Process.

Malicious?

Does Google include *.gov?

I Wonder How Much TFA Cost

[ilikenwf]

Especially since it's obvious Google paid for it and possibly wrote it.

In case you were curious

The summary was dictated, but not read.

What does Google do about 9500 Malicious Sites/Day

Do they at least let the user know?

Malware Bad - Extortion Attempts Okay

Detects malicious websites, but allows mugshots.com to end up at the top of search results. My own site (with a myfullname.com), my twitter page, my linkedin profile, etc., etc., etc. are all now listed after a mugshots.com page for someone else with the exact same name as me. Mugshots.com is nothing but an extortion attempt. And I get to suffer because someone thug has the same name I do.

Re:Malware Bad - Extortion Attempts Okay

[h4rr4r]

Is your name so uncommon that it matters?
Do you look that much like this thug?

Re:Malware Bad - Extortion Attempts Okay

[Baloroth]

"Extortion"? Really? Unless mugshots.com is actually claiming you are that person, it has nothing whatsoever to do with you. People googling your name who are too stupid to realize multiple people can have the same name... well, I probably wouldn't want anything to do with them anyways.

And it can't even be extortion unless they are threatening to release the name unless you pay them money. They aren't, are they? No? Than welcome to the Internet, where 10,000 people have the exact same name as you.

Re:Malware Bad - Extortion Attempts Okay

Mugshots.com extorts the people whose mugshots they put up. In order to get it taken down you have to pay $$$ to a service. Mugshots.com takes it down and then puts the mugshot back up on another site owned by them. OP was right, and because it isn't them they can't do anything about it. Only the correct person with that name can pay off mugshot.com

Re:Malware Bad - Extortion Attempts Okay

First Middle Last name are identical. This isn't a case of me being one of a million John Smiths. There are craploads of people with the same Firstname Lastname. But it looks like there are only two First Middle Lastname in the US. I look nothing like this guy, I'm probably 5-7 years older. But what I look like doesn't matter if prospective employers, who have never seen me, Google my name and find this guy first. Every single result in Google for my full name is me, except this one, and because I'm not the guy in the picture, I can do nothing about mugshots.com having his picture up and 'encouraging' him to pay money to a service to have his record removed. And yes, it is a problem for me, because people are really stupid and this has cost me job interviews.

Re:Malware Bad - Extortion Attempts Okay

Do you really think that mugshots.com, which has no particularly value and provides no real useful information, should top the search results!? Many people are quite Google stupid. I wouldn't want to spend time and money on a website about my professional self only to have some junk site take over the top spot.

Re:Malware Bad - Extortion Attempts Okay

[h4rr4r]

You might want to mention that when applying for jobs then.

Re:Malware Bad - Extortion Attempts Okay

[BattleApple]

Would you really want to work for someone so stupid they don't realize two people can have the same name? You could also tell them ahead of time it's not you in the mugshot. What would you have to lose? It might even help them remember you.

Re:Malware Bad - Extortion Attempts Okay

In this economy I'd gladly work for anyone whose willing to give me money right now (at least short term). Sadly, mugshots.com jumped to the top of search results last month, right after I applied for a massive number of jobs in my field. So there was no way to do anything about it until the next round of applications.

Re:Malware Bad - Extortion Attempts Okay

[digitig]

First name "Anonymous", last name "Coward", but what's your middle name?

Re:Malware Bad - Extortion Attempts Okay

"fucking"

Re:Malware Bad - Extortion Attempts Okay

[Sulphur]

Detects malicious websites, but allows mugshots.com to end up at the top of search results. My own site (with a myfullname.com), my twitter page, my linkedin profile, etc., etc., etc. are all now listed after a mugshots.com page for someone else with the exact same name as me. Mugshots.com is nothing but an extortion attempt. And I get to suffer because someone thug has the same name I do.

Anyone named Anonymous Coward is going to be taunted from grade school onward. Either that or he learns to fight.

Re:Malware Bad - Extortion Attempts Okay

[Johann+Lau]

going to that site, I see

"[name], [job], arrested for alleged embezzlement, report says"

Seriously, what the fuck is this shit? What kind of nazi would defend it?

Just stop hosting it!

[Simpson,Homer_Jay]

Gmail, Google Docs, Blogspot - Google needs to eliminate abuse on their products.

Do a search in Google for - https://docs.google.com/a/njit.edu/spreadsheet/viewform?formkey=dEdpR1lrTjZPenFtY3BkS1l3UF9VWHc6MQ

hmmm, no flags...

or how about https://docs.google.com/spreadsheet/viewform?formkey=dEZfZjkwa0FxYmRRbzFvend5ODhhX2c6MQ

oh, it's in Phishtank as 100% verified (and yes, Google gets reports from Phishtank), but has Google taken it down? NO.

Geniuses would have this down programmatically. Google only does enough to make it look like they care about abuse; they don't.

Re:Just stop hosting it!

Did you see that "Report abuse" link on the bottom of those pages, eejit? Did you click it?

Wasted such a nice UID/nickname pair for yet another throw away troll account. Shame on you.

Re:Just stop hosting it!

[Simpson,Homer_Jay]

Did you see that "Report abuse" link on the bottom of those pages, eejit? Did you click it?

Yes, it has been clicked on many times, and reported to many contacts @Google. Their abuse was de-centralized many moons ago down to the product level, and it's been a mess ever since.

Does it take a genius to remove phish and malware reported to Safe Browser when they are hosted on blogspot and google docs? Nope.

Re:Just stop hosting it!

[cbiltcliffe]

Somehow, I think if someone sees a form purporting to be from either Yahoo or Microsoft, but says right on it "Powered by Google Docs," and they still go ahead and enter their information, then they're stupid enough that they'll give away their information anyway at some point, so it doesn't make much difference if this stays up or not.

Incidentally, I did get a warning on the second one.

Re:Just stop hosting it!

[utkonos]

Google stopped dealing with abuse on their own systems over a year ago. They don't correct any abuse complaints at all anymore. For example, if you take down a phishing site, there is always going to be a drop email somewhere in the php code of the phishing page. The stolen credentials get sent to this email address. If you report this illegal email address to google, they ignore it. These drop email addresses stay up and allow phishers to profit from their phishing campaigns for very very long periods of time. There are a number of times that this problem has been raised with google. They are always answered with, go to this page and report it there. Gmail abuse admins do absolutely nothing about things reported through this form. The only thing that happened is that they adjusted the form so that it just flat out rejects anything that does not have a header. So it is now IMPOSSIBLE to report drop emails to google. Additionally, google has a side channel abuse email "trusted.abuse.reports@google.com". Even if you report this type of abuse to that address, you get a autoresponse saying thanks for the report, but they do nothing to suspend or stop the abuse that it reported. I'm under the impression that Google has given up monitoring any of the channels that they have to receive abuse reports.

Re:Just stop hosting it!

[utkonos]

This is precisely what I'm talking about. One part of Google may care about phishing and malware (the Stop Browsing team). But Gmail doesn't care about drop emails. Google Docs doesn't care about phishing pages they host. Google Apps couldn't care less about malware payloads that you can download from their sites.

Re:Just stop hosting it!

[utkonos]

Abuse reports to Google fall on deaf ears. Google couldn't care less about crime on their own systems, unless it's copyright violations on Youtube when a bird song infringes a record label's intellectual property. Google is one of the worst companies on the internet with regards to responding to abuse on it's systems. Even nasty dens of garbage like OVH and iWeb respond faster.

Re:Just stop hosting it!

Hey, are they hiring for the Bing team?

Re:Just stop hosting it!

[utkonos]

No idea, but if you deal with reporting abuse all day long, you would respect Microsoft and Yahoo. They shut down abuse within moments. Google ignores abuse reports.

Impressive numbers?

[el_flynn]

"Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users"

Is that 600 million users served over the five-year span? Or the total number of users on Chrome, Firefox and Safari that we have now? 600 million is just a little under 9% of the world's population.

Impressive numbers, in any case.

Phishing site hotspots

[el_flynn]

This image from Google's blog post shows that majority of the phishing sites are hosted in the US. Interestingly, most of Africa is relatively "clean", except for Algeria and South Africa.

Re:Phishing site hotspots

[Billly+Gates]

That is deceiftful and doesn't tell the whole picture.

The malware is not developed here. It is just America has lots and lots of old servers running unpatched wordpress, apache, and linux software full of vulnerabilities. Many slashdotters are under the impression most malware is still installed by a user clicking something and the problem is always between the monitor and keyboard and also that Linux is 100% safe and only IIS gets infected etc.

Most bad sites are legit and just get hacked and crackers insert an infected ad, javascript, or flash.

It is just not true as crackers target wordpress and other sites and then use SQL injections and php exploits to host bad ads with flash or javascript exploits. I had one piece of malware install right from slashdot 2 months ago! It was a bad and I emailed ThinkGeek to let them know.

If you used Windows without AV software guess what? You are owned if you visited slashdot in late february or early march.

Re:Phishing site hotspots

[cbiltcliffe]

If you used Windows without AV software guess what? You are owned if you visited slashdot in late february or early march.

That's almost as vague as Google's warnings. Did the malware in this case target IE? Firefox? Chrome? Flash player? Java?
Did it rely on a zero-day exploit? Or something that you just hadn't got around to patching?

I haven't run A/V for somewhere around a decade. I've never been infected. I visit /. on a regular basis, including the time in question. Obviously your blanket warning isn't accurate.

Re:Phishing site hotspots

[fearlezz]

And Antarctica is hosting zero phishing sites...

Re:Phishing site hotspots

[swillden]

I haven't run A/V for somewhere around a decade. I've never been infected.

That you know of.

Re:Phishing site hotspots

[Em+Adespoton]

True, but he likely does run noscript and an ad blocker.

Re:Phishing site hotspots

[Billly+Gates]

It was a faulty ad using a flash exploit. If you didnt run flashblock your system got owned. If you hate av software you can download a free scanner from Kaspersky that doesnt effect your system or use malware bytes from filehippo. You need to run AV software in this day and age. Modern av software like avast doesnt slow your system down

Re:Phishing site hotspots

[cbiltcliffe]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

How do you think A/V companies know to add something to their definitions? Does it have to show an infection in an antivirus scan?
Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing, so I'm not infected."

Re:Phishing site hotspots

[cbiltcliffe]

Ok, so it was a flash exploit. That still doesn't say whether it was zero day or not. If it wasn't, then you were unpatched, and I wasn't, and I'd be safe. If it was zero-day, I was doing a lot of experimenting with Chrome at that point, which has sandboxed flash since at least 2010, meaning I'd still be safe. All without flashblock.

And incidentally, _all_ antivirus software slows your system down. Unless it's magic, it takes processing time to scan every file you open, meaning there's less processor time to use for what you want to do. This also adds latency to every single file access, while the file is being scanned.

Saying it doesn't slow your system down shows you either really have no idea how it (or a computer in general) works, or you meant "doesn't slow your system down as much as in the past" but just didn't say what you meant.

Re:Phishing site hotspots

[Billly+Gates]

Well do not take this the wrong way or anything but if you do not run any AV software how do I know that your credible saying it doesn't slow your computer that much if you do not use it?

  True Norton 360 and McCrappy circa 2006 was a total POS but that doesn;t mean they all are. Avast added only 3 second of bootup time to my computer and that is it and well worth it. Sandboxing slows your computer down. Anything besides DOS or pure assembly slow your computer down. I stand by my words when I say a good AV does not slow your system down too much if you anything modern. If you use a 8 year old system at work with XP 512 megs of ram with tons of shitty IE 6 add ons, and mcCrappy Endpoint that is 4 years old and then yes you need to wait 10 minutes to bootup and have your computer near unusable for 4 hours during its scan. That says more about your IT department than AV software

Avast blocked the exploit for me otherwise I would have known the name of the trojan. IE has been sandboxed for years yet malware finds a way through. It is your computer so do what you want.

I have seen at least 4 attempts of malware from ads hit my computer this year. Only one was from a porn site so the idea of not running anything is very dangerous even if you have noscript and flashbock as simple xml and ajax can get in that way. Flash by its very nature is a compiler and code executor and so is JIT javascript implementations done on modern browsers.

Re:Phishing site hotspots

I was referring to the scanner that doesn't slow down your system because it is not the full blown AV software. All it does is scan the drive and that is it.

Re:Phishing site hotspots

[swillden]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

How do you think A/V companies know to add something to their definitions?

There are many ways malware is discovered initially. It depends on the type of malware and the infection vector.

Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing, so I'm not infected."

No one (well, not me anyway) is claiming that A/V software never gives false negatives. But not having A/V software gives a lot more false negatives.

Re:Phishing site hotspots

[cbiltcliffe]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

Which is essentially what I do, thanks to a security project I've been working on for a few years.

Besides, with well-written malware, even A/V software can't tell you're infected without an offline scan.

Re:Phishing site hotspots

[cbiltcliffe]

Boot time isn't the only way your computer can be slowed.

And we still don't know if it was a zero-day exploit or not. For that matter, we don't know if it would have even infected you.
Did you know that Avast's web shield doesn't know if you're vulnerable to the exploit or not? It simply warns you when it sees a malicious file, even if you don't have the vulnerable plugin. Just because it blocked something doesn't mean you would have been infected without A/V.

Re:Phishing site hotspots

[swillden]

True, but the implication in your original post was that it was reasonable for people to run without AV -- but the approach you use, while better than AV, is hardly reasonable for anyone but hardcore Windows experts (to know what should or should not change) who are also willing to do snapshots and offline scans.

Re:Phishing site hotspots

[cbiltcliffe]

I think I quite clearly said _I_ don't run antivirus. There was no implication that it was a good idea for others; at least, I didn't mean it. If you took it that way, then maybe I need to be more careful how I word that statement.

It's over 9000!

[Lord+Lode]

(no text)

Re:It's over 9000!

[cbiltcliffe]

That's almost 10000!

duck

WWW.duckduckgo.com. and clear Google tracking out of Firefox with. about:config. Search for safe

Tool for webmasters?

[Yvan256]

Is there a place where we can put our domain names and our emails, so that Google can contact us when they detect something on our websites?

Re:Tool for webmasters?

https://www.google.com/webmasters/tools/

you zlmost had it

I run a very popular site, dedicated to stopping forum spam and Im forever getting alerts from google to say that I'm infected. Its BS as I just list emails,usernames and IPs associated with spammers. 95% of them are gmail based accounts. The detection is flawed.

Google needs to clean up their own act first.

[Animats]

Here's our current list of major domains being exploited by active phishing scams. Notice who's at the top of the list. Google.

We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google. Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

Here's the oldest phishing attack hosted by Google, up since 2010: "Free Habbo Coins. Email your username and password to..."

For years, Google didn't realize that Google Spreadsheets could be used to host phishing sites. They finally caught on, and there's now a "report abuse" button on spreadsheets. Most, but not all, of the spreadsheet-hosted phishing sites have been taken down.

If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

Re:Google needs to clean up their own act first.

[utkonos]

Please mod this UP! Google is unable to deal with abuse on their own systems. They ignore reports of phishing drop emails hosted at Gmail. In fact they ignore most all reports of abuse submitted to them, period.

I wonder though...

[spottedkangaroo]

... what percentage of these sites are false positives? They don't really seem to mention that, but as with any antivirus pile, I'm sure a large number are false. They have a feedback form to request a fix if it comes up, because it obviously does. What's the turn around like? How many days do you have to live with not being able to talk to customers when it does?

That seems way less than expected

Seems low - 1 hosting company say has php with a vuln - 100s or 1000s of customer 'sites' can be turned malicious quickly. My isp had this issue some time back.

Thanks Animats... apk

That's a good source of data for my custom hosts file!

I don't block Google from that list though (see my ps below).

Google used to have a site called "StopBadWare" http://stopbadware.org/ that used to list stuff for blocking (phishing/spam/malware serving/maliciously scripted KNOWN bad sites/servers/hosts-domains), but doesn't list them anymore like they used to (they only provide a searchable database for checking if a site's bad now), listing daily which sites are such.

APK

P.S.=> I left google.com unblocked though, for what I think are fairly obvious reasons (in that I use it a LOT)... apk