Google Search warns about compromised websites

In addition to the already existing warning "This site may harm your computer", Google has added a new warning "This site may be compromised" to search results. Learn what the difference is.

The explosion of malicious web sites has created an unsavory situation for search engines. They may accidentally elevate the ranking of harmful websites in search results.

Google's malware alert

Awhile ago, Google established a malware detection system for checking websites to see if they host malware-download applications. If the algorithm finds malware, it will add the following: "This site may harm your computer" to the information presented about the website. The slide below (courtesy of Google) is an example:

If you click on the link, Google serves up the following warning:

Google decided not to offer a way to proceed to the website. Only provide suggestions on what the problem may be. In order to continue to the website, the URL must be copied and pasted into the address bar.

In the Google warning above, you may have noticed mention of It is an organization predicated on stopping what they call badware. The organization also acknowledges websites as being the attack vector of choice for malware distribution:

"Most of the badware that is in circulation today is distributed through websites. For users who want to make informed choices about what they download, knowing which websites are dangerous is as important as knowing which applications to avoid."

In order to get the word out on websites hosting badware, has partnered with Google, Paypal, Mozilla, and Nominum to create the Badware Website Clearinghouse:

"The Badware Website Clearinghouse is a collaborative effort to build a dynamic and comprehensive list of websites that host, link to, or otherwise distribute badware."

The Clearinghouse webpage has a search function where you can enter the URL of a website and see if there are any problems.

Google's compromise alert

Malicious websites do more than download malware. That's why Google added another alert. The new warning triggers when the search engine finds a website where parts or all of it are not under control of the site's owner. For example, would Perth Street Bikes be peddling Viagra as listed in the next slide from the KrebsonSecurity website:

Google mentions, besides using a website's elevated ranking to sell questionable drugs, the bad guys have other options that:

"Include phishing (tricking users into sharing personal and credit card information) or spamming (violating search engine quality guidelines to rank pages more highly than they should rank)."

If you happen upon a website with this warning and would like more information click on "This site may be compromised." Doing so will provide more details on the compromise, as well as how to contact the webmaster of the affected site.

There is one important difference between the compromise alert and the malware alert. Unlike the malware alert, if you click on the website link with a compromise warning, the web site will load. So be careful to not provide any sensitive information unless you are absolutely sure it is okay.

Check Google's database

If you know the URL of a website and would like to check it against the Google database, type the name of the website at the end of this URL:

I used as an example and got the following results:

Final thoughts

Google is not letting on how they determine if a website is compromised or delivering malware. That non-transparency could be troublesome, but that's okay. A healthy suspicion and being informed prevents bad things from happening.

Update (22 Dec 2010): A spokesperson from Google contacted me and provided the following information on how Google Search determines if a website is compromised or delivering malware:

"We can't describe everything in full detail. That would give bad guys the knowledge they need to bypass our detection systems. That said, we're clear about the overall process. Google's automated scanners regularly crawl the web, and we have a sophisticated machine learning model that helps us detect suspicious websites.

We run these sites in a test browser. If our systems detect malicious content or behavior, we add the "This site may harm your computer" warning label. We then attempt to contact the relevant webmasters and provide information through Google Webmaster Tools about what our systems discovered."