Google Blacklists

2 minute read

If you ever shortened a URL using or if you use it anywhere, be aware that Google recently blacklisted all pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead contains malware warning when visiting a link:

Screen Shot 2014-10-25 at 10.23.45 AM

Why would Google blacklist

Google has many automated processes to detect if a specific domain is hosting malware, redirecting to malware or somehow being misused to compromise other sites (as an intermediary). It flags thousands of sites every day and it seems that the had some redirections that were flagged by their detection process.

This is what their diagnostics page say:

What is the current listing status for Site is listed as suspicious – visiting this web site may harm your computer.

Of the 91549 pages we tested on the site over the past 90 days, 721 page(s) resulted in malicious software being downloaded and installed without user consent.

That generally means that someone shortened a URL that was redirecting to a browser exploit kit that was pushing malware to the visitors visiting this page.

Shortened URL malware

Unfortunately, Google is not completely wrong with this one (but likely a bit excessive, time will tell). We constantly see malware injection on websites leveraging shortened URL links. Here is an example of what we mean, this payload was found in a compromised website:

<iframe src=""nbsp;
name="iframe_name" scrolling="no" frameborder="0" allowfullscreen align="top" height="400px" width="720px">

This iframe injection has a link that redirects to a drive-by-download hosted at httx://teamliboza[.]nl/streamplayer1.php. It happens often with and other URL shortens. This new blacklisting status could be a change in tide for URL shorteners as Google takes a hard stance against how attackers employ them to distribute malware. That or they could be legitimately blocked, it’s just hard to say at the moment.

Whether they are actually hacked or being tagged for what others are doing will require more time and analysis as it’s a very unique situation. For now however, if you depend on the shortening service, if you want people to see your content it’s best to avoid the service until the issue has been resolved.

Additionally, if you leverage the shortener in your own website this could be impactful to you as your website could get inadvertently blacklisted for loading a blacklisted website. Something to be mindful of. The good news is that the blacklist will be for the shortener, so removing it will address the problem, but the bad news is that most end-users won’t read the details and assume it’s you.

We will keep monitoring this issue closely and we will post an update as soon as we hear more. In the mean time, do not visit links and replace them with their real final destination URL.

Update 1: After almost 12 hours, Google removed the ban from They also changed the diagnostics page to:

What is the current listing status for
This site is not currently listed as suspicious.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...