Notable events

This page describes the events that are responsible for notable trends in the data provided by the Transparency Report for Safe Browsing. These events are caused by improvements to Safe Browsing's detection algorithms, as well as attack campaigns that are launched by malicious actors.

Users who see malware warnings per week

September 17, 2011
Safe Browsing's Client Side Phishing detection algorithm launches in Google Chrome, which doubles the number of phishing warnings that users receive each week.
July 24, 2012
A large campaign infects more than 106,000 unique sites in July, directing people to sites launching the Blackhole Exploit Kit. More than 90 million users receive malware warnings as a result.
April 7, 2013
Cybercriminals using Red Kit infect enough sites to increase the number of users who receive malware warnings by 32 million.
June 2, 2013
A campaign targeting vulnerabilities in Java and Acrobat Reader infects more than 7,500 sites. As a result, more than 28.6 million Safe Browsing API users receive malware warnings during this week. (Update: an earlier version of this report erroneously indicated that 75 million users received malware warnings).
September 8, 2012
The same Blackhole campaign that caused more than 90 million browser users to receive malware warnings also generated more than 330 million warnings in Google Search.
April 28, 2013
An error prevents malware warning labels from appearing on Google Web Search results (Image Search is unaffected) and decreases the number of labels displayed directly on the results page. However, users continue to see a warning page if they click on a link to an unsafe site, and the number of warning page views during this time increases by 31%.

Unsafe websites detected per week

April 26, 2009
Safe Browsing identifies malware campaigns that infected more than 62,000 sites, redirecting users to the attack site
May 17, 2009
The previous campaign that originally launched attacks from starts directing users to, which infects more than 42,000 sites. In total, Safe Browsing identifies more than 100,000 infected hosts during this week.
July 8, 2012
More than 90,000 sites compromised with malware are identified. A large majority of these sites redirected users to the Blackhole exploit kit. Users receive more than 90 million browser warnings and 330 million search warnings per week as a result.
September 23, 2012
One of the third-party phishing feeds that provides Safe Browsing with data is temporarily removed because of concerns with too many false positives. Phishing protection in Safe Browsing obtains some of its data from third-party feeds. However, these feeds must meet stringent standards to ensure very low false positive rates.

Sites hosting malware detected per week

November 11, 2012
Attack sites had been using a technique called “domain rotation” to quickly move their malware distribution networks. Safe Browsing’s algorithms automatically identify these domains and detect more than 6,000 attack sites per week.

Webmaster response time

February 17, 2008
Safe Browsing starts to automatically rescan sites to determine if they should still remain on the list of compromised sites, which reduces the median duration of time spent on the list from 90 days to approximately 15-20 days.
January 8, 2012
The median duration of time spent on Safe Browsing’s list of compromised sites begins rising from 20 days to 30 days. While the precise cause is unclear, an increasing number of advanced exploit kits is believed to be making it harder for webmasters to identify and remove malware.
March 13, 2013
Safe Browsing scanners identified malware on subdomains of a significant number of hosting providers. We flagged the hosting providers for malware instead of the infected subdomains by mistake because it is difficult to determine which domains were maintained by each hosting provider. We rectified the error within a day and removed the erroneously classified sites from the malware list. Our resolution of this error reduced the median amount of time sites spent on the malware list.

Number of sites on the Safe Browsing lists

January 6, 2008
Safe Browsing enables “domain compression” on the phishing list to consolidate a number of distinct hosts on a unique domain to that single domain, which reduces the size of the phishing list from 206,000 sites to 13,000 sites.
May 11, 2008
Safe Browsing starts automatically rescanning malware sites that were previously determined to be unsafe to see if they are still compromised. Initially, 115,000 sites are identified as no longer unsafe, which reduces the malware list from more than 225,000 sites to 110,000 sites.
August 16, 2009
The Gumblar and Martuz malware campaigns infect more than 330,000 sites, which are added to Safe Browsing's list of compromised sites.
January 29, 2012
Safe Browsing begins automatically removing attack sites that had been identified as inactive from the list of malware sites, initially getting rid of more than 130,000 stale domains.
August 5, 2012
A campaign leveraging the Blackhole exploit kit compromises over 100,000 sites. Safe Browsing's list of compromised sites rises to 350,000.

Web site reinfection rate

May 11, 2012
The reinfection rate for sites that have been compromised rises dramatically due to the periodic rescanning of infected sites. Previously, these sites were not removed from Safe Browsing’s list and therefore could not be reinstated.
November 15, 2009
The general increase in reinfection rate begins to decline as a result of Google's effort to launch the Malware Details feature in Google Webmaster Tools, which describes the precise infection that Safe Browsing scanners identify. On March 12, 2013 we launch Webmasters help for hacked sites.