Google’s new ‘repeat offender’ policy makes ad-network malware a big risk
Wed 9 Nov 2016
It’s worth being aware that Google has just updated its Safe Browsing service to include a ‘Repeat Offender’ category for those sites which apparently become security risks on a regular basis. If you’re susceptible to side-channel attacks via ad networks, the implications aren’t minor.
If you have ever had your own site directly hacked or indirectly compromised by malware served up by network advertising, you may have experienced the gulp-inducing moment when you check search results for your own work and find that Google has appended ‘This site may harm your computer’ to your listing. Additionally, users who click the tagged link will have to pass through at least one dire warning page about Google’s high estimation of the site’s security risk.
If you’re running a high-traffic or high-profile site, this judgement means money, revenue, and trust being lost every day that Google retains the warning in its results.
Worse yet, there is rarely a quick fix. The problem is likely to have occurred in one of two categories – a direct SQL injection attack aimed through insecure forms or other weaknesses in your site’s CMS; or the serving-up of low-integrity or outright malicious content through the integration of a popular advertising network such as DoubleClick or AdTech.
The latter was the case that I encountered at a major publishing company nearly ten years ago. Effectively, by ‘trusting’ the network ad integration, and by surrendering ourselves to auction-driven ad content, we had created our own point of exploitation. An attacker who utilises a well-established ad network will, of course, quickly be banned from that network. But it only takes a tiny window of opportunity on a high-traffic site to deliver more than enough malware to make the campaign worthwhile for the malfeasant.
If your site is reliant on search traffic, that’s incredibly poisonous to your business. Worse yet, interstitial warning pages are likely to be presented to your users by other means than arriving at a site via search results.
We weren’t able to quickly fix the problem; but even if you are, and you report to Google (via its Search Console feature) that your site is fixed, those red warnings don’t disappear immediately. We had to endure them for nearly two weeks. With higher-volume, more directly-monetised sites, the losses might have been critical.
From today, continued susceptibility to compromises will result in Google marking a domain as a ‘repeat offender’; it will not be possible to even make a request to Google to reconsider the (presumably repaired) domain for a full thirty days. Add to that whatever time it takes Google to reappraise your domain and propagate the flag-removal, and you’re looking at a full-fledged SEO disaster.
This won’t affect larger sites which arrange specific advertising campaigns with specific clients, even if the campaigns are not exclusively intended for one domain. If a client were to end up serving malware through their own custom campaign, they would be liable to you.
But it will affect auction-led, topic-driven advertising slots, where anyone can win a place in your domain, and even potentially target your domain as an outlet via keyword crafting. If a week is a long time in politics, 30 days is an eternity in SEO exile.
Google is not specific about the ‘short window of time’ required for a domain to qualify as a ‘repeat offender’, merely saying:
‘Sites that repeatedly switch between compliant and noncompliant behavior within a short window of time will be classified as Repeat Offenders.’
Since the catchment period is unknown, it seems that it would be unwise to let a domain be compromised even within as long a time-span as a year.