Over the last decade, Google has made increasing efforts to avoid sending users to sites that present security problems. It’s common for site owners to find out about a security problem in an email from Google – or even worse, emails from users asking why their browsers are displaying a prominent warning that the site isn’t safe.
When sites fall foul of Google’s various security policies – Malware, Unwanted Software, Phishing, and Social Engineering – the company will warn users of the danger. Site owners can, once they’ve removed the problem, request a reassessment and have the warnings removed.
But for a certain class of sites, that behavior is not enough to protect users. Many less-than-honest sites make most of their money from sources that practically require exposing users to insecure content. Typically, when hit with a warning, they’ll temporarily clean things up, submit a request for reassessment, and once given the all clear, revert the changes. It’s a dance that Google is apparently tired of being invited to.
The search giant recently announced a new category of malefactors: repeat offenders. Repeat offenders are those sites that repeatedly put users at risk, remove the risk when a warning is applied, and then backtrack immediately. Rather than immediately removing the warning for sites identified as repeat offenders, Google will disallow requests for reassessment for a month – more than enough time to hurt the bottom line of repeat offenders.
What sort of sites behave this way? One type of repeat offender is sites that, for whatever reason, can’t display advertising from the larger and more trustworthy ad networks. Instead they use low-rent ad networks that don’t do a good job of checking exactly what’s in the ads they serve. They’re often a source of malvertising, which the publishers who use them are aware of.
When Google applies a warning because the sites are serving malware-laden advertising, they remove the advertising and request a reassessment. Because they have no other source of income, once they pass the reassessment, they simply start displaying the advertising and wait until Google notices and re-applies the warning.
It’s not that these sites want to cause security problems for their users, but that they’re negligent about how they monetize. In many cases, site owners aren’t initially aware that their advertising is causing problems, but once they find out, they’re unwilling to give up a vital source of income.
It’s worth noting that Google doesn’t intend to apply the Repeat Offender status to sites that have been hacked, only those Google thinks are deliberately trying to game the system. Nevertheless, there’s a thin line between being malicious and negligent, so we may see sites that simply don’t care about security and which repeatedly end up hacked being consigned to the Repeat Offender list.