Security Experts:

Connect with us

Hi, what are you looking for?



Google Analyzes Effectiveness of Website Hack Notifications

Google has teamed up with the University of California, Berkeley to conduct a study on the effectiveness of notifications sent out by the company to webmasters whose websites have been compromised.

Google has teamed up with the University of California, Berkeley to conduct a study on the effectiveness of notifications sent out by the company to webmasters whose websites have been compromised.

The company said it detected nearly 800,000 compromised websites over the last year, with 16,500 new sites getting hacked every week. When Google’s Safe Browsing and Search Quality systems detect an unsafe site, users are notified of the potential threat through warnings displayed in the web browser and search results labeled accordingly. In addition to browser and search warnings, webmasters are directly notified via Google Analytics and email (if they register on Search Console). In some cases, Google will also send an alert to the email address found in the compromised site’s WHOIS records.

It’s worth pointing out that websites flagged as malicious by Safe Browsing are re-scanned after 14 days, while Search Quality analyzes sites each time they are visited by Google’s crawler. Webmasters can appeal warnings tied to their website at any time.

The analysis conducted by researchers at Google and the University of California, Berkeley showed that nearly 60 percent of hijacking incidents were resolved by webmasters over the 11-month period of the study. Of these sites, 6.6 percent were cleaned up within a day, 27.9 percent within two weeks, and 41.2 percent within one month.

The websites that were still infected at the end of Google’s study remained in that state for a median of four months, with 10 percent of infections dating back over eight months.

Researchers determined that in cases where hacked websites were only flagged in Google Search, the cleanup rate was just over 43 percent. The cleanup rate increased to nearly 55 percent for cases where search and browser warnings were displayed and alerts had been sent to WHOIS email addresses.

For webmasters who signed up for the Search Console service and received a direct alert, remediation rates increased to 82.4 percent for Safe Browsing and 76.8 percent for Search Quality, which suggests that a direct line of communication is critical for remediation efforts.

The study also shows that webmasters who are notified directly clean their websites 62 percent faster (typically within 3 days), a result that has been attributed to the fact that the emails sent out by Google include remediation tips and information on the pages containing harmful content.

While many webmasters manage to remedy infections, in some cases they fail to properly address the root cause and their websites are hijacked once again. Based on data from Google, 22.3 percent of Search Quality sites and 6 percent of Safe Browsing sites become reinfected within one month. More than 10 percent of Safe Browsing and over 20 percent of Search Quality websites are reinfected within one day.

Google has advised webmasters to sign up for Search Console to ensure that they’re quickly notified if their websites are compromised. As for hosting and other online services providers, the search giant recommends establishing a reliable communications channel.

“If you’re a hosting provider or building a service that needs to notify victims of compromise, understand that the entire process is distressing for users. Establish a reliable communication channel before a security incident occurs, make sure to provide victims with clear recovery steps, and promptly reply to inquiries so the process feels helpful, not punitive,” Kurt Thomas and Yuan Niu of Google Spam & Abuse Research wrote in a joint blog post.

Related: Google Study Compares Top Security Practices of Regular Users, Experts

Related: Google Blocked 780 Million “Bad Ads” in 2015

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.