Transparency Report: Making the web a safer place

Posted by Lucas Ballard, Software Engineer

[Cross-posted from the Official Google Blog]

Two of the biggest threats online are malicious software (known as malware) that can take control of your computer, and phishing scams that try to trick you into sharing passwords or other private information.

So in 2006 we started a Safe Browsing program to find and flag suspect websites. This means that when you are surfing the web, we can now warn you when a site is unsafe. We're currently flagging up to 10,000 sites a day—and because we share this technology with other browsers there are about 1 billion users we can help keep safe.

But we're always looking for new ways to protect users' security. So today we're launching a new section on our Transparency Report that will shed more light on the sources of malware and phishing attacks. You can now learn how many people see Safe Browsing warnings each week, where malicious sites are hosted around the world, how quickly websites become reinfected after their owners clean malware from their sites, and other tidbits we’ve surfaced.

Sharing this information also aligns well with our Transparency Report, which already gives information about government requests for user data, government requests to remove content, and current disruptions to our services.

To learn more, explore the new Safe Browsing information on this page. Webmasters and network administrators can find recommendations for dealing with malware infections, including resources like Google Webmaster Tools and Safe Browsing Alerts for Network Administrators.

Iranian phishing on the rise as elections approach

Posted by Eric Grosse, VP Security Engineering

[Update June 13: This post is available in Farsi on the Google Persian Blog.]

For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users. These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region. The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.

Our Chrome browser previously helped detect what appears to be the same group using SSL certificates to conduct attacks that targeted users within Iran. In this case, the phishing technique we detected is more routine: users receive an email containing a link to a web page that purports to provide a way to perform account maintenance. If the user clicks the link, they see a fake Google sign-in page that will steal their username and password.

Protecting our users’ accounts is one of our top priorities, so we notify targets of state-sponsored attacks and other suspicious activity, and we take other appropriate actions to limit the impact of these attacks on our users. Especially if you are in Iran, we encourage you to take extra steps to protect your account. Watching out for phishing, using a modern browser like Chrome and enabling 2-step verification can make you significantly more secure against these and many other types of attacks. Also, before typing your Google password, always verify that the URL in the address bar of your browser begins with https://accounts.google.com/. If the website's address does not match this text, please don’t enter your Google password.

Increased rewards for Google’s Web Vulnerability Reward Program

Posted by Adam Mein and Michal Zalewski, Security Team

Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa.

In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories:

• Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).
• The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).

As always, happy bug hunting! If you do find a security problem, please let us know.