Google malware watchdogs bite mom-and-pop shops
But not MySpace
The Internet is Large
A Google spokeswoman says the company uses an objective set of criteria to label potentially harmful sites that is applied to equally large and small sites.
"Clearly, the Internet is very large and we cannot constantly monitor all sites," she says. "We select a daily subset of the Internet to investigate." She declined to say whether MySpace, PhotoBucket, FaceBook or other large sites known to have served tainted ads has ever been flagged, citing a policy of not discussing individual sites.
She also said company representatives send email to several addresses associated with the site being flagged so webmasters will know of the malware warning as soon as possible. She added that a feature known as Google Webmaster Tools provides a list of specific URLs to help site operators pinpoint the source of the problem. She also acknowledged that Google security watchdogs are still hammering out their policy for malware delivered via banners.
"Malicious content delivered by ad networks is a relatively new threat, and we are looking at different approaches to help site owners with this issue while protecting our users," she says.
That's little comfort for people like Raymond Theakston, operator of Befuddle.co.uk, a site that offers pictures of Britney Spears and other celebrities as they are spotted drinking alcohol, often to excess.
On September 12, Google sent him an email that said some pages of his site "can cause users to be infected with malicious software." The email pointed to three offending URLs, and Theakston says he has scoured their html for iframes or other scripts that attackers could have added without his knowledge. When he came up empty-handed, he dumped the ad network he had been using for years and removed a statistics counter that someone told him might be suspect.
He is awaiting a rescan of his site, and if it comes up clean, Google says it will remove the warning. But after 10 days of being branded a parasite, Theakston says the damage has been done.
The site averaged 1,648 unique visitors per day during the first week of September, but a week after the Google warning began, unique visitors dropped to an average of 619.
"Traffic has gone down a lot," says Theakston, who lives in Leeds and by day works as a senior tester for a large telecommunications company. "Fortunately, I don't rely on the site for revenue anymore."
A Free Pass For MySpace?
Google's claims of impartiality notwithstanding, several malware specialists say they have a hard time believing web destinations generating millions of dollars in revenue would tolerate the treatment Google metes out on smaller sites.
"I'm sure they have an exclusion in there for sites like MySpace," says Eric Sites, a researcher at security provider Sunbelt-Software.
He notes that ad-driven malware is especially hard to catch because banners are frequently programmed to unload toxic payloads only in certain timezones during certain hours. Add to that the highly decentralized nature of affiliate advertising - in which one network hands banners off to another network, which in turn distributes them through a third - and even Google, which seems to have eyes everywhere, may be unable to track offenders competently.
"I think the Google process is actually flawed," says Thompson, the Exploit Prevention Labs researcher who, having watched several small sites struggle to undo the stigma that's resulted from Google's warning, says he sympathizes with the operators.
"This poor guy got nailed through no fault of his own, and now he's tainted," Thompson says. "Arguably, this guy was never infected in the first place. He was just unfortunate enough to have a bad banner ad. That can happen to FaceBook, and it can happen to anyone." ®
If you've had experiences with Google malware watchdogs or have other security-related intelligence, please share them with this reporter by using this link. Confidentiality assured.
Sponsored: Becoming a Pragmatic Security Leader