Worst timing ever – Google flagged us as malware on our prelaunch announcement day

Are you a WordPress enthusiast? Whether you are a casual blogger or a professional editor, Nelio Content is the editorial calendar that makes your life easier. Take a look at it!

Today it was supposed to be a great day for our WordPress AB / Split Testing service but thanks to Google, it has end up being a nightmare (well, at least nobody died though a couple of us almost had a heart attack in the process). We’ve decided to explain all details of what happened to: 1 – Assure visitors that our website is (and always has been) safe to visit (and subscribe) and 2 – Let other companies know the bizarre things that can happen during a (pre)launch day becuase you´re never prepared enough.

So this is the chronology of the facts:

  1. To get some traction for our beta program we decided to contact Jeff from WPTavern and ask him if he could cover our service as a kind of prelaunch announcement. We chose him because of his reputation in the WordPress community and were sure a mention of our service in his site would make some waves (Jeff already covered a couple of years ago our other WordPress service MigrateToWP and that post has been a good source of visitors for us ever since).
  2. Yesterday Jeff told me the short interview I had done with him describing the service was up online. It was already quite late (in my CET – Central European time), so I just forwarded the info to my co-founders and went to bed.
  3. I woke up early today and first thing I did was to check mailchimp to see how many people had joined the beta thanks to Jeff´s post. Strange, only 4 people had joined. I start to think something is going on
  4. I check the email and I see a message from Sumobi saying “Just a heads up in case you are unaware. When I tried to visit your website, google chrome blocked it with their malware detected page. Might stop a lot of people signing up to your mailing list :)”. WHAT?????? This is impossible!!! A quick visit to the announcement post confirms it, several people are complaining: “Visiting this page now is very likely to infect your computer with malware.” , “I got the same warning. Wonder what’s going on there.”. Not exaclty the kind of feedback we were expecting.
  5. Google WebMaster tools says that the site is clean. So Google is contradicting itself. It flags the site as malware to our visitors but to us, the owners, it says that everything is ok. Very helpful, thanks!
  6. None of us is able to get this warning when visiting the site ourselves, it seems that only some people see it, making even more difficult for us to trace the source of the problem. Thanks to the info we get from our visitors we are able to detect that the problem is a couple of links to the demo site of the WordPress theme we bought for the site.
  7. After contacting the theme shop we immediately get the following explanation: Google had blacklisted our demo site earlier today as the result of a false alarm. Google has since removed that blacklist entry and the message should have disappeared. If the message was displayed on a client’s site it is likely that they hot-linked an image somewhere on their site that was hosted on demos.shapingrain.com. I could not find any links anywhere on either that blog or the final site, but that warning message would even appear if Google suspected content on a site that was linked via 3 or more levels on a remove site (if you link to a site, that links to another site, which links to demos.shapingrain.com) — so it might have been an avatar or something similar. It is even possible that the mention of shapingrain.com in the theme’s stylesheet could have triggered that, depending on the browser and whether or not additional anti-virus software was used, since some users saw the message and some did not. Again, there was no actual threat or malware posted anywhere and Google has reacted quickly and removed the blacklist entry. I apologize for any inconvenience and hope to have answered your questions. If you have any follow-up questions, please feel free to get back in touch and I would be happy to answer those as well.
  8. (In theory) this closes the problem.

So, to sum up, everything was just a misunderstanding between the theme shop and Google. And we were just unlucky this happened the day we were doing a first big announcement. Well, thanks Google for screwing us up 🙁

You can argue that Google needs to protect internet users but Google should also protect the businesses which in the end is who make Google rich. It doesn´t make sense that it decides to block my site without alerting me at the same time (otherwise, what’s the point of Google Webmaster tools?). And really, I believe Google algorithms can do better than this. All the other malware scanning tools we tested this morning said our site was clean so why Google can’t be smart enough to see it as well? I bet to say it’s just because for them a false positive (flagging a site as malware when it’s not) is not a problem at all. It’s not them that suffer the consequences but us. And unfortunately, “When Google sneezes our businesss catch a cold, if not something worse”. So please, Google, if you read this be more business-friendly the next time. Do not assume that you are the only ones that follow the “Don’t be evil” motto.

22 thoughts on “Worst timing ever – Google flagged us as malware on our prelaunch announcement day

  1. Seems like the problem stems from dependency on a third-party technology. Google is gonna do what Google do, so my take away is: develop your own theme/code/content, and you won’t get caught up in someone else’s “misunderstanding”.

    1. Yes but this is easier said than done. If we have to start rewriting everything ourselves (even WordPress, just in case there´s a hidden bug in WP itself 🙂 ) then we would not have the time to do something new. This is always a tough call.

  2. I posted this in the hacker news commentary but thought I would share this with you here as well to be sure you saw it.

    The domain that was blacklisted was not demos.shapingrain.com (I checked), shapingrain.com itself was blacklisted as you can see from the Google Safe Browsing report here: .

    The theme currently in use on http://wp-abtesting.com/ has a main stylesheet called style.css which contains the URL http://www.shapingrain.com in its comments in the header.

    It looks like shapingrain.com itself was infected on 2013-08-19 but cleaned by 2013-08-20. It was likely infected with a JavaScript injection vulnerability linking to the site lartedio.com which served the actual payload (likely something trying to self-install, break out of the box, etc.).

    After shapingrain.com was infected and flagged by Google Safe Browsing, wp-abtesting.com would then have been flagged when Google analyzed the CSS file and saw what appeared to be a resource link to an infected site. This would appear to be a limitation via the scanner which is scanning CSS comments and treating them as valid code, though this is not without precedent and certain browsers will evaluate what is contained in comments under certain circumstances (see IE conditional comments).

    So, in the end, it looks like shapingrain.com was infected yesterday and Google blacklisted that site as well as any sites pulling resources from the infected site, erring on the side of caution (possibly) and interpreting URLs within comments in CSS as possible resource links.

    1. Hi John,

      Thanks a lot for your detailed response. Really appreciated.

      Probably both sites were infected at some point. Again, I never saw the malware message myself but the guy that alerted us first copied the message he got and it was explicitly mentioning the demo site: “Content from demos.shapingrain.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your Mac with malware.”

      And now, we’re going to immediately clean the CSS since this is something that had not occurred to us could be the cause of the problem. Let’s make sure we are not blacklisted again!

  3. May be some compromised code is caught by Google’s scanner thus you are trapped in security warning issue. Many malware are not detected by Google or Firefox. They depends upon the malware request raised by end user.
    Personally I found that Google Malware scanning mechanism don’t work.This truth is also valid for other giant scanner services.
    like sucuri.net
    I had written a detailed post at http://www.devuvach.com/how-they-actually-hack-your-wordpress-blog/

    Hope fully that is helpful to you.

  4. This will end up being a good thing for you guys. Many people like me would not have heard about your service if this did not happen.

  5. Tried to read your blog, but I can’t. Your test is too light and too thin on Windows 8 / Chrome or Opera.

    Please consider testing your website cross browser.

  6. > Google should also protect the businesses which in the end is who make Google rich.

    That’s like saying a restaurant has obligation to it’s suppliers. The end user is who any business serves.

    1. Not sure it is the same. In a restaurant is the end user who pays for the meal. Instead, end users don’t (directly) pay Google is the businesses who do. Do you agree?

  7. That’s really sad and ticks me off. I admire the hell out of Google’s technical acumen and open source ethos, but it’s unfortunate that they’re such a dominant figure in the marketplace without real competition. When Google arbitrarily marks you as breaking their rules, you’re normally out of luck. This is kind of why, despite not liking Facebook so much, I’m glad they’ve got some impact in the market such that big brands are promoting pages in their national TV ads, smaller companies use the types of services listed at BuyLikesReviews and try and promote their products directly through their customer base, and that they have some impact on popular culture.

    Competition from Facebook is getting Google to at least think about addressing some of their weak points like customer service, and the ability for businesses to actually contact them when there’s a problem. At least Google and Facebook are both pushing each other to improve and innovate and compete.

    I just wish that they had more competition because for every story that you read about with a happy ending where a problem gets resolved, you have more of these stories where companies lose their hat with no recourse.

  8. I wonder if you could sue them. They where lying about your website having malware, I’m sure that’s not legal, even by “accident”…

  9. That’s strange, the washington times website was flagged, too. Then I got to thinking… First Facebook is slacking off, not caring about profile invasion threats, now Google is screwing up about malware? I’m getting suspicious that this is intentional (naturally since reading on http://vpnexpress.net about their cooperation on NSA spying), and about their motives. Is this going to be another way of strong-arming site owners to control data or prevent news from spreading? Like Lavabit and Groklaw have shut down because of the pressure. This is getting serious.

  10. Pingback: Get The Google Malware Hammer For Commented Out CSS | Theme Lab
  11. Pingback: Get The Google Malware Hammer For Commented Out CSS | FreeWordpressThemes.us
  12. Hey guys,
    I have tha same flagging problem. Do you have any contact person by webmaster-tools?
    Many thanks in advance for your help!

Leave a Reply

Your email address will not be published. Required fields are marked *