Google has teamed up with the University of California, Berkeley to conduct a study on the effectiveness of notifications sent out by the company to webmasters whose websites have been compromised.
The company said it detected nearly 800,000 compromised websites over the last year, with 16,500 new sites getting hacked every week. When Google’s Safe Browsing and Search Quality systems detect an unsafe site, users are notified of the potential threat through warnings displayed in the web browser and search results labeled accordingly. In addition to browser and search warnings, webmasters are directly notified via Google Analytics and email (if they register on Search Console). In some cases, Google will also send an alert to the email address found in the compromised site’s WHOIS records.
It’s worth pointing out that websites flagged as malicious by Safe Browsing are re-scanned after 14 days, while Search Quality analyzes sites each time they are visited by Google’s crawler. Webmasters can appeal warnings tied to their website at any time.
The analysis conducted by researchers at Google and the University of California, Berkeley showed that nearly 60 percent of hijacking incidents were resolved by webmasters over the 11-month period of the study. Of these sites, 6.6 percent were cleaned up within a day, 27.9 percent within two weeks, and 41.2 percent within one month.
The websites that were still infected at the end of Google’s study remained in that state for a median of four months, with 10 percent of infections dating back over eight months.
Researchers determined that in cases where hacked websites were only flagged in Google Search, the cleanup rate was just over 43 percent. The cleanup rate increased to nearly 55 percent for cases where search and browser warnings were displayed and alerts had been sent to WHOIS email addresses.
For webmasters who signed up for the Search Console service and received a direct alert, remediation rates increased to 82.4 percent for Safe Browsing and 76.8 percent for Search Quality, which suggests that a direct line of communication is critical for remediation efforts.
The study also shows that webmasters who are notified directly clean their websites 62 percent faster (typically within 3 days), a result that has been attributed to the fact that the emails sent out by Google include remediation tips and information on the pages containing harmful content.
While many webmasters manage to remedy infections, in some cases they fail to properly address the root cause and their websites are hijacked once again. Based on data from Google, 22.3 percent of Search Quality sites and 6 percent of Safe Browsing sites become reinfected within one month. More than 10 percent of Safe Browsing and over 20 percent of Search Quality websites are reinfected within one day.
Google has advised webmasters to sign up for Search Console to ensure that they’re quickly notified if their websites are compromised. As for hosting and other online services providers, the search giant recommends establishing a reliable communications channel.
“If you’re a hosting provider or building a service that needs to notify victims of compromise, understand that the entire process is distressing for users. Establish a reliable communication channel before a security incident occurs, make sure to provide victims with clear recovery steps, and promptly reply to inquiries so the process feels helpful, not punitive,” Kurt Thomas and Yuan Niu of Google Spam & Abuse Research wrote in a joint blog post.