Enter a URL
For malware sites, we scan sections of our web index to identify potentially compromised websites. Then we test those sites by using a virtual machine to see if the machine gets infected. We use statistical models to identify phishing sites.
In this data, a “website” refers to the hostname or fully qualified domain name of a URL (e.g., somehost.example.com). When we scan a site and identify malicious hosts, we count each distinct host.
Our Safe Browsing technology scans our web index on a daily basis to identify unsafe websites.
We work very hard to maintain accurate information and have had very few false positives.
No. Safe Browsing is designed with users’ privacy and security in mind, so we don't require users to share the sites they're visiting with us. As a result, we tend to underestimate the number of warnings we show every month. Chrome users who have volunteered to share information specifically about phishing and malware sites allow us to estimate the total number of warnings. Any time Safe Browsing sends data back to Google, the information is only used to flag malicious activity and is never used anywhere else at Google.
Our scanners can differentiate between the sites that exploit the browser and those that are compromised so that they lead to exploited sites. Sites that exploit the browser are attack sites.
Unsafe sites are added to our list of infected sites within minutes of detection, and on average it takes half an hour for them to appear externally.
Webmasters who have cleaned their sites can request a malware review in Google Webmaster Tools or StopBadware.org. The site will be rescanned and is typically removed from the list within 24 hours if the scan is clean. We periodically check sites on our list to see if they are still infected.
To determine if a site becomes reinfected, we need to observe it for a certain period of time after it has been removed from our list. We compute the reinfection rate for a given week by dividing all sites that were removed and reinfected within three months of that week by the number of sites that were removed from the list during that week.
Every time we add an unsafe site to the list, we make a reasonable effort attempt to inform the webmaster by sending a notification to a standard set of email addresses (e.g., webmaster@[sitename].com; info@[sitename].com; admin@[sitename].com).
We offer advice for webmasters whose sites have been hacked here. It’s best to register your site at Google Webmaster Tools in advance of any problems so that we can notify you promptly and provide more information about the problems we find.
If you don’t want to use Google Webmaster Tools, you can file appeals with StopBadware.org once you have removed the infection from your site. StopBadware.org also offers great resources for webmasters who want to learn more about what they can do to make their sites safer.
Malware can hide in many places, and it can be hard even for experts to figure out if their website is infected. Our accuracy rate is very good, but you can submit your site for a malware review by following the instructions here.
Sites are often infected without the knowledge of the webmaster. By showing that malware has been detected, we hope to encourage an AS to reach out to webmasters within the network and work with them to correct the problem. Once web servers are cleaned up, the malware statistics published in the Transparency Report will improve.
We encourage operators to sign up for Safe Browsing Alerts for Network Administrators here. Registering your AS means you will receive notifications if we detect that malware is being hosted on your network.
We rank the AS by dividing the number of compromised and/or attack hosts that we find by the total number of hosts our scanners observe in the AS.
No. Our scanners are specifically designed to look for the malicious parts of networks, so we may not see many of the good parts. The scanners do not see all the websites or hosts on a network, and the metrics we present here are solely based on what our scanners observe.
Not necessarily. It's possible that the AS itself may have some security weaknesses, but by definition larger networks host many different kinds of users and are generally more likely to host users that have malicious intent or poor security practices.
We geolocate IP addresses of the hosts that we encounter to determine which country a host belongs to. The IP addresses belonging to a particular AS may geolocate to more than one country. Therefore, an AS may appear in the data for more than one country.