For more than five years, StopBadware has been working with the Safe Browsing team at Google to help webmasters clean up hacked sites and make the Web safer. Through their detection systems, browser and search warnings, and notifications, Google’s Safe Browsing initiative helps protect millions of Internet users from potentially harmful websites every day. As a result, Google has quite a bit of data on harmful websites and their behavior. Data like Google's is essential to understanding the malware problem—and understanding the problem is, in turn, a prerequisite to solving it. Yesterday, Google announced that they’ve added a Safe Browsing section to the Google Transparency Report to shed more light on the sources of malware and phishing.
The new Safe Browsing section of the Transparency Report includes data like the weekly number of users who see browser and search warnings, the number of compromised legitimate websites vs. “attack” sites (those created expressly to distribute malware), and webmaster response/reinfection rates. It also includes information on malware distribution by AS that allows users to sort data by region, type of site detected, and time range.
A few notable points (several of which our partners over at Sucuri have already pointed out):
- The ratio of compromised legitimate sites to intentionally malicious attack sites is pretty staggering. The vast majority of sites Google detects to be distributing malware are legitimate sites that have been infected without the permission, and often without the knowledge, of their owners.
- The 2008 spike in website reinfection rate has been gradually declining. (Google makes note of the fact that a change in their process caused the initial spike.) Decreasing reinfection rates and increasing preventative website security is one of StopBadware’s long-term goals, so it’s encouraging to see this metric expressed as a downward trend over time.
- Webmasters’ response time (once they’ve been notified a site is compromised) is still much longer than optimal. As both we and much of the security community are well aware, there are several factors that likely contribute to the lag in cleanup time. Many webmasters either don’t see or don’t know how to interpret malware notifications, for instance, and many more lack the relevant technical expertise to find and remove malicious code and eliminate infection vectors.
Resources like StopBadware’s community forum, our webmaster resources, and Google’s Help for hacked site owners informational series can help address these needs. At the same time, it’s clear that there’s more to be done.
StopBadware hears on a regular basis how one of the security industry’s most persistent problems is establishing and sharing metrics that accurately express the state of malware on the Web. It’s why we’ve long published data like our Top 50 IP and AS lists, and why we’re piloting a data sharing program among our partner companies. Google’s Safe Browsing data offers another key glimpse of the ways malware distribution is evolving and ways the industry can shift to more effectively fight it. Props to the team at Google for their work on the new report section!