This page describes the events that are responsible for notable trends in the data
provided by the Transparency Report for Safe Browsing. These events are caused by
improvements to Safe Browsing's detection algorithms, as well as attack campaigns that
are launched by malicious actors.
Users who see malware warnings per week
September 17, 2011
Safe Browsing's Client Side Phishing detection algorithm launches in Google Chrome,
which doubles the number of phishing warnings that users receive each week.
July 24, 2012
A large campaign infects more than 106,000 unique sites in July, directing people to
sites launching the Blackhole
. More than 90 million users receive malware warnings as a result.
April 7, 2013
Cybercriminals using Red Kit
infect enough sites to increase the number of users who receive malware warnings by 32
June 2, 2013
A campaign targeting vulnerabilities in Java and Acrobat Reader infects more than 7,500
sites. As a result, more than 28.6 million Safe Browsing API users receive malware
warnings during this week. (Update: an earlier version of this report erroneously
indicated that 75 million users received malware warnings).
Malware warnings on Google Search
September 8, 2012
The same Blackhole
campaign that caused more than 90 million browser users to receive malware warnings
also generated more than 330 million warnings in Google Search.
April 28, 2013
An error prevents malware warning labels from appearing on Google Web Search results
(Image Search is unaffected) and decreases the number of labels displayed directly on
the results page. However, users continue to see a warning page if they click on a link
to an unsafe site, and the number of warning page views during this time increases by
Unsafe websites detected per week
April 26, 2009
Safe Browsing identifies malware campaigns that infected more than 62,000 sites,
redirecting users to the attack site gumblar.cn/.
May 17, 2009
The previous campaign that originally launched attacks from gumblar.cn/ starts
directing users to martuz.cn/, which infects more than 42,000 sites. In total, Safe
Browsing identifies more than 100,000 infected hosts during this week.
July 8, 2012
More than 90,000 sites compromised with malware are identified. A large majority of
these sites redirected users to the Blackhole
. Users receive more than 90 million browser warnings and 330 million
search warnings per week as a result.
September 23, 2012
One of the third-party phishing feeds that provides Safe Browsing with data is
temporarily removed because of concerns with too many false positives. Phishing
protection in Safe Browsing obtains some of its data from third-party feeds. However,
these feeds must meet stringent standards to ensure very low false positive rates.
Sites hosting malware detected per week
November 11, 2012
Attack sites had been using a technique called “domain rotation” to quickly move their
malware distribution networks. Safe Browsing’s algorithms automatically identify these
domains and detect more than 6,000 attack sites per week.
Webmaster response time
February 17, 2008
Safe Browsing starts to automatically rescan sites to determine if they should still
remain on the list of compromised sites, which reduces the median duration of time
spent on the list from 90 days to approximately 15-20 days.
January 8, 2012
The median duration of time spent on Safe Browsing’s list of compromised sites begins
rising from 20 days to 30 days. While the precise cause is unclear, an increasing
advanced exploit kits
is believed to be making it harder for webmasters to identify
and remove malware.
March 13, 2013
Safe Browsing scanners identified malware on subdomains of a significant number of
hosting providers. We flagged the hosting providers for malware instead of the infected
subdomains by mistake because it is difficult to determine which domains were
maintained by each hosting provider. We rectified the error within a day and removed
the erroneously classified sites from the malware list. Our resolution of this error
reduced the median amount of time sites spent on the malware list.
Number of sites on the Safe Browsing lists
January 6, 2008
Safe Browsing enables “domain compression” on the phishing list to consolidate a number
of distinct hosts on a unique domain to that single domain, which reduces the size of
the phishing list from 206,000 sites to 13,000 sites.
May 11, 2008
Safe Browsing starts automatically rescanning malware sites that were previously
determined to be unsafe to see if they are still compromised. Initially, 115,000 sites
are identified as no longer unsafe, which reduces the malware list from more than
225,000 sites to 110,000 sites.
August 16, 2009
The Gumblar and Martuz malware campaigns infect more than 330,000 sites, which are
added to Safe Browsing's list of compromised sites.
January 29, 2012
Safe Browsing begins automatically removing attack sites that had been identified as
inactive from the list of malware sites, initially getting rid of more than 130,000
August 5, 2012
A campaign leveraging the Blackhole
compromises over 100,000 sites. Safe Browsing's list of compromised
sites rises to 350,000.
Web site reinfection rate
May 11, 2012
The reinfection rate for sites that have been compromised rises dramatically due to the
periodic rescanning of infected sites. Previously, these sites were not removed from
Safe Browsing’s list and therefore could not be reinstated.
November 15, 2009
The general increase in reinfection rate begins to decline as a result of Google's
effort to launch the Malware
feature in Google Webmaster Tools, which describes the precise infection
that Safe Browsing scanners identify. On March 12, 2013 we launch Webmasters help for hacked sites