How Google helps 600,000 webmasters re-secure their hacked sites every year
Every year, close to 600,000 sites are hacked by people trying to distribute malware, peddle fake goods or phish users. Given the scale of the problem, notifying users to prevent harm and webmasters so they can clean up their sites is critical to combat hacking. This post looks at the effectiveness of the current warning strategies used by Google and other companies, and their long-term impact.
This blog post is a summary of the study on the effectiveness of notification strategies for hacked sites that we ran at Google in partnership with the University of California, Berkeley. Our goal was to understand how we can improve our notifications so we reach more webmasters and help them clean up their sites faster and more efficiently. The full study results are available in a research paper, which was published at WWW’16 and Kurt Thomas wrote a summary in his Google blog post.
We will start by briefly summarizing why sites are hacked and who is getting hacked. Then we will discuss warning strategies for users followed by notification strategies for webmasters and we will conclude with what you can do to help.
Why are websites hacked?
Websites are mainly hacked for the following three reasons:
Distributing malware. The hacker is attempting to compromise the normal visitors to the site by exploiting a vulnerability in their browser to force the download of malware such as a botnet, client or ransomware. The types of underground software specialized for this are known as exploit kits and the popular ones include Angler and Nuclear. You can read this Trend micro report to learn more about exploit kits.
2. Phishing: A second popular use of hacked sites is to host phishing pages that are used to trick people. For example, in the screenshot above you can see that the phishers are attempting to con users into submitting their email address and password to access a Google Drive file. Notice how the phishers are attempting to maximize the credentials of the phishing site with a drop-down menu that allows users to select their email provider. To learn more about how phishing works, read my blog post here.
3. Blackhat SEO: Last but not least, a site can be defaced and its original content replaced with a cheap knock-off. For example, the screenshot above shows how an .edu site was abused to sell fake Nike products.
How many sites are hacked?
For our study, we looked at the 760,935 hacking incidents we detected between July 2014 and June 2015. Those incidents affected 579,932 sites, with some sites being involved in multiple incidents.
From the chart above, we observe that more sites are hacked for malware and phishing purposes than for blackhat SEO reasons. However, we detected more blackhat SEO incidents, which indicates that websites hacked for SEO purposes tend to be hacked multiple times. This is partially because SEO backdoors are hard to clean up because they are added to many legitimate pages. For example, some backdoors will modify the code of all the WordPress plugins installed.
Over the last year, as visible in the graph above, the number of phishing sites that Safe Browsing detected kept increasing, reaching an all-time high in 2016. The trends and more information about how many malicious sites have been detected are available on the Google Safe Browsing transparency report.
Warning browser users
As soon as a page is detected as being compromised, it is added to the Google Safe Browsing API. This API is used by Chrome, Safari, Firefox and many websites such as bit.ly to know wen to warn users. For example, the screenshot below shows the warning that Chrome will display when you attempt to visit a page that has been added to Safe Browsing.
The Google Safe Browsing API offers protection against malware, social engineering like phishing, unwanted software and potentially harmful applications. Beside web pages, the Safe Browsing API protects also against bad binaries including software that plasters web pages with ads which are detected as unwanted software.
The chart above, taken from the Google Safe Browsing transparency report, shows that millions of users are protected by Safe Browsing. For example, for the week beginning March 27, 2016, a total of 57,101,380 users saw a warning.
To ensure that users pay attention to these warnings, the Chrome team has invested a lot of effort into optimize them to reduce the number of people clicking through so they don’t got harmed. They tried many design, including the one depicted above
Warning Google Search users
Safe Browsing is also used in Google Search results to prevent users from accessing compromised websites while searching for information. The screenshot above is from the 8th page of the results for a search. It indicates that the page has been hacked and users are not able to click the link.
The chart above is also from the Safe Browsing transparency report. You can see that every week, tens of millions of search results are marked as hacked. For example, for the week beginning May 15, 2016, altogether 42,028,563 search results had a warning.
Warning webmasters that their site is hacked
Google can notify webmasters of a compromise in two ways. If the webmaster has a Webmaster Tools account, they are contacted via the search console as illustrated above. If the webmaster does not use Google Webmaster Tools, then we try to contact them through the email address listed in WHOIS.
Between July 2014 and June 2015, we sent 139,818 notifications via the Search Console alerts and 336,122 notifications via the email address on WHOIS, as visible in the chart above.
Hacked Notification Effectiveness
Is notifying webmaster effective? Yes i is: when webmasters are notified, blue line on the chart above, they are able to clean up their sites faster than when they are not notified, orange line on the chart.
Not all notifications are equal
We observe that the notifications sent through the search console are the best one both in term of reaction time and clean up percentage. Browser warnings are a distant second and search warning is the least effective. This indicate that having the ability to reach webmaster effectively is essential to make notification helpful. This is why in attempt to reach webmasters faster Safe Browsing notification are now integrated with Google analytics as visible in the screenshot below.
As mentioned earlier in the post, a key challenge with cleaning websites up is making sure that not only the symptom is removed, e.g., the phishing page, but the root cause is addressed as well. We have found that a good fraction of sites – 22% of those hacked for SEO purposes and 6% of those hacked for malware and phishing purposes – are not completely cleaned up and are hacked again. These numbers show how important it is to develop tools and documentation to help webmasters clean up an infected site. It also suggests that SEO backdoors are harder to remove, as they infect many pages of a site.
What can I do to help?
As an internet user: If you are a user, please do not ignore the warnings. There is a real risk that you will become compromised, phished or tricked if you ignore and proceed to the site.
As a webmaster: If you are a webmaster, please register with the Webmaster Tools so we can contact you easily if your site is hacked. You should also make sure the email address for your domain in WHOIS is correct so people can contact you if needed. As always, also keep your software up to date to prevent hackers from exploiting old vulnerabilities to hack your site.
As a social media user: Share and like this post, so we reach as many webmasters as possible!
Let me know what you think is the best way to notify webmasters and what else the security community should be doing to keep the internet a safe place.