Google warns 760,000 websites: 'You've been hijacked' - but many are infected again in days
Sites that are compromised and redirect visitors to another malicious site are the most difficult to fix.
Google is urging website operators to sign up for its security notifications after a study of 760,935 hijacked websites revealed the difficulties in cleaning up infections that expose visitors to malware.
Google details its findings in a study it conducted with the University of California, Berkeley, which looked at the hijacked websites it found in an 11-month period to June 2014.
The sites were identified through Google Safe Browsing, which notifies browser users of a potentially harmful site, and Search Quality, which flags risky sites in search results.
The study looked at the most effective way to communicate the issue to website operators, and whether operators had the technical knowhow to resolve it.
The researchers found that website operators who'd registered their site with Search Console, and would thus receive an email directly from Google, performed best, with 75 percent recovering a compromised webpage after notification.
Browser and search warnings alone led respectively to 54 percent and 43 percent of sites being cleaned up.
The researchers also found that 80 percent of site operators had removed attack code from their sites after the first appeal from Google to have the site unflagged as potentially malicious.
However, the remainder often required multiple appeals and took on average a week to clean their site properly. Additionally, 12 percent of sites were hijacked again within 30 days, suggesting some were failing to address the root cause of the breach.
Kurt Thomas and Yuan Niu of Google's Spam & Abuse Research said the company conducted the research to find out how best to balance the safety of Google search users with the experience of site operators.
"While browser and search warnings help protect visitors from harm, these warnings can at times feel punitive to webmasters who learn only after-the-fact that their site was compromised," the pair noted in a blog post.
As the researchers note in the paper, webmasters often find the experience of having their site hijacked to be traumatic, which is exacerbated by in-browser warnings that block access to a site and have the potential to drive visitors away.
However, the researchers counter that the warnings serve as a "side-channels" to spur remediation.
"Some webmasters requested that any site-level hijacking flag not take effect until one week after notification. However, such an approach both requires a direct notification channel, thus ruling out interstitials or search warnings, and also puts visitors at risk in the interim," the researchers note.
Nearly 50 percent of hijacked sites in the study were running on WordPress, followed by Joomla, Drupal, Typo3, and Vbulletin.
Previous studies have found that sites running on WordPress, Joomla, and Drupal faced a higher risk of compromise because hackers focused on platforms with the largest marketshare.
The study also found that sites that are compromised and redirect visitors to another malicious site were the most difficult to fix, with only 12 percent of sites recovering within 60 days.