A blog post from Google's security team revealed that the company finds some 9,500 new malicious websites every single day.
“These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing,” wrote Google Security Team member Niels Provos in a blog post. And despite the huge number of sites the company flags, Provos said they have had "only a handful of false positives."
The news came, not surprisingly, on the fifth anniversary of the company's Safe Browsing initiative, which aims to protect people from Internet evildoers on Google’s search results and ads, plus the Chrome, Firefox and Safari Web browsers.
A Moving Target
The company said that between 12 and 14 million Google search queries per day return results that include at least one hacked site. (One favorite of phishers: online commerce sites.) In the same amount of time, Google's download protection service for Chrome flashes up warnings for some 300,000 downloads.
“The threat landscape changes rapidly,” Provos wrote. He said web addresses for many phishing sites remain active for less than an hour to avoid detection, and that sites pushing malware are also often quick-change artists, swapping locations by using free Web hosting services.
He added: “Our adversaries are highly motivated by making money from unsuspecting victims, and at great cost to everyone involved.”
About 600 million people now use the Safe Browsing feature through programming interfaces incorporated into Chrome, Firefox and Safari, he said.
The alerts Google sends include a red background with the words: “Warning: Visiting this site may harm your computer!” which flashes up after a user has entered or clicked on a link that leads to a site believed to deliver malware or phishing pages.
Most phishing scams can be traced back to U.S. hosts, Google said. Another top contender: Brazil. For the record, Iran, Spain, Australia and Peru both host the fewest phishing attempts and fall victim to the fewest.
Earlier this month, Google announced it would send warnings to Gmail users if the company believes they are being targeted by state-sponsored cyber-attacks aimed at stealing personal information or blocking e-mail message streams. (The company did not mention any government by name, although Google blamed China for 2009's Operation Aurora attacks.)
"We are constantly on the lookout for malicious activity on our systems, in particular attempts by third parties to log into users’ accounts unauthorized," Eric Grosse, Google's vice president of security engineering, wrote in a blog post. "When we have specific intelligence—either directly from users or from our own monitoring efforts—we show clear warning signs and put in place extra roadblocks to thwart these bad actors."
A study earlier this month found nearly 9 out of 10 small businesses do not believe hacking could happen to them—and are not implementing even the simplest of security measures. (This is despite a Verizon 2012 data breach investigation report that found that the number of incidents involving small firms is rising.)
How can you prevent malware and phishing?
Google offered these tips:
Don’t ignore warnings. Just because you've visited the site before does not mean it's safe if Google tells you otherwise. Even legitimate sites can be modified to contain malware or phishing threats, meaning the site won't be clean until the webmaster scrubs it. Google suggests waiting for the warning to be removed before potentially exposing your computer—and your business—to harm. (A Hartford Small Business Data Protection Survey found that nearly two-thirds of small-business owners think a data breach violates trust and could be potentially disastrous for relationships with customers, patients and employees. Click here to see what you can learn from the recent Linked In security breach.)
Help Google flag bad sites. If you use the Chrome browser, you can check the box on the red warning page, which ships data to Google that helps the company find malicious sites faster.
Register your website. Registering with Google Webmaster Tools will help Google quickly inform you if suspicious code is ever found on your website.
Has your business website ever been flagged by Google? How has malware or phishing affected your business?