Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Google Search Results Warn About Hijacked Sites

December 22, 2010 - 3 min read

Last Friday, Google announced a new warning for hijacked sites displayed within search results. The new warnings say "This site may be compromised". Such results represent legitimate sites that have likely been hijacked to host spam which redirect users to another malicious domain.

It is another step forward for Google in their battle to combat blackhat spam SEO, but this is not entirely new. Google was already displaying warnings for some of the hijacked sites, but not all of them. "This site may harm your computer.", was already previously displayed by Google for certain sites. In fact, several hijacked sites still have this warning. This particular warning appears for all pages within a potentially compromised domain, including hijacked sites, legitimate pages and spam. I don't know if Google plans to change these warnings to their new, and more accurate, warning.

Hijacked site with old warning

Google seems to be very hesitant to block entire sites, and I can understand why. However, I hope they will be willing to add more warnings to their search results. This should result in webmasters being aware their website has been hijacked and Google users in turn should will become more aware of the Blackhat spam SEO issue.

Google has not however implemented this new warning correctly. I did a search for one the hijacked site, bizfarm.net. The warning is shown for http://bizfarm.net/ only and not for other compromised pages on the domain.



Warning about hijacked site

The home page does not actually redirect to a malicious page. But the spam pages, which are redirecting users to a fake AV page, do not have any warning in the Google search results. I tried other domains and saw the same type of issues.




No warning from Google about the actual malicious pages

Overall, very few domains have this new warning. Many hijacked domains continue to display no warning whatsoever. I have also checked  search results for the recent popular search "mary lou henner". On December 19th, there were 10 malicious spam pages redirecting to a fake AV page, but only 3 of the results included warnings. These 3 warnings were the old "This site may harm your computer". No warnings were displayed, stating that the results may represent hijacked pages.

Finally, my biggest disappointment is that this new warning does not help users as much as it could, even if Google fixes the problems described above. When a user clicks on a link that Google showed as "may harm your computer", he is redirected to a warning page. Then the user has to enter the URL manually in the browser address bar to actually go the dangerous page. This means that the Referer header does not show "google.com", so in most cases the user will not be redirected to the malicious domain. However, when Google shows the new warning, the search result link points directly to the malicious spam page. The Referer shows that the user is coning from a Google search, and the spam page will redirect the user to a malicious domain.

This new warning has the potential to be a significant step forward in the fight against Blackhat spam SEO. More webmasters and more users will be aware of the issues over time, but first, Google has to display the warnings in the right place, below the actual malicious links, and extend their list of hijacked sites. Hopefully they will consider changing the malicious links as well, so that users have to do more than clicking on a single link to put themselves at risk.


Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.