Google finds 9,500 new threat sites per day

Many users ignore warnings about sites they know, which malware might have made into attackers

There are plenty of malware and cybersecurity threat reports out there, but not many from the one Internet player whose central role and unmatched reach give it the potential for the clearest view of what's really happening on the Internet: Google.

Five years ago Google launched its Safe Browsing initiative, under which it collects lists of suspected phishing and malware sites and provides an API that gives developers an easy way to have their apps check Google blacklists before opening a new site.

The one consistent risk Google can't do anything about directly is the habit of many users of ignoring warnings about malware on sites with which they're familiar. Even when they haven't been redirected to an attack site, Google warnings mean a known site may have been infected by malware that makes it an involuntary participant in a malware distribution network. "We have very few false positives," the post said.

Yesterday, on the fifth anniversary of that project, Google published stats showing some trends in the risks it has spotted and what Google is doing about them:

  • Google warns users of dangerous sites 12 million to 14 million times per day and warns users about 300,000 times per day they may be downloading malware;
  • Google finds about 9,500 new malicious web sites every day;
  • Flagged sites fall into two categories: those infected by malware that forces them to distribute it and "attack sites" built explicitly to distribute malware. The latter are increasing rapidly;
  • Attack sites try to avoid blacklists by changing their web hosts, DNS records and frequent regeneration of domain names;
  • "Drive by downloads" of malware most typically come from legitimate sites that have been compromised with malicious content or redirects to an attack site;
  • As built-in malware detection gets better, malware distributors increasingly rely on social engineering – convincing the user to install fake anti-virus or other software rather than trying to install malware covertly.
  • Social engineered attacks still trail drive-by downloads, but are catching up quickly.
  • The number of phishing sites is increasing fast, but many phishing sites stay online for as little as an hour to avoid detection.
  • Phishing sites disguise themselves as popular sites and may ask to install "browser extensions" (malware) to enable fake content.
  • Google continues to invest "heavily" in Safe Browsing, most notably by adding instant phishing and download protection in Chrome, adding malware scans for Chrome extensions and protection for Android apps in the Google Play store (not always successfully).

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon