Why Google’s malware warnings fall short


Over the weekend, I used Google to find some info for an upcoming trip. On the first page of results, I saw a forum site that I had visited before, and the description looked relevant to my search. I clicked on the result, and it took me to a totally different site that tried to install some malware. Apparently the site had been hacked, and the hacker was redirecting the original site’s traffic to their own malicious domain.

This sort of thing is quite common on today’s Internet. Luckily, my computer is up-to-date on patches and security software, so I don’t think I suffered any permanent harm aside from having to restart and run a malware scan. But where was Google in all this? Normally, when they find malicious code on a page, they display a warning that “This site may harm your computer” — but there was no such message during my search. I felt a little bit betrayed.

Logically speaking, I guess the site had been hacked after the last time that Google scanned it. Arguably, they can’t be expected to re-scan every site every day. So I figured I would report the offending site to them. I looked throughout the search results page for a link to report a malware result. Nothing. Just some generic form if you’re dissatisfied with the results, which probably takes days or weeks to get read. Sure, I could locate and fill out a spam report form, but it’s common knowledge that only a small percentage of those are ever acted upon.

If Google is serious about protecting users from malware, they need to do two things. First, perform more frequent scans on those sites that are more vulnerable to hacking. These might include forums or blogs running outdated software that is subject to known vulnerabilities. And second, provide an obvious link on every search results page to let users report malware, fraud, and other dangerous things — and make sure actual humans review these reports on a regular basis.

Until these additional steps are taken, Google will continue to give users a false sense of security. Frankly, if they’re going to display any malware warnings at all, they should invest the extra time and effort to make those warnings as comprehensive and timely as possible.