Posts

Google has given webmasters their final warning to convert their sites to HTTPS or be branded as “Not Secure” with a prominent message in the browser bar of all Chrome and all Chrome-based browsers after October of this year.

Why is Google doing this?

Google has been urging webmasters to switch their sites to the more secure HTTPS security protocol for years, using increasingly drastic measures. Currently, Google is denoting sites that are secure using a green icon in the browser bar. Since so many sites have now adopted the protocol, Google is taking this a step further with a prominent red warning for sites that are not secure.

What does this mean for you?

Internet users don’t give up their information easily. They have to trust that you won’t let their data be breached or misuse their information. If they see that your site is specifically “Not Secure”, they simply aren’t going to trust you with anything.

That could mean increasing bounce-rates for your website, fewer e-commerce sales, fewer newsletter sign-ups, or fewer internet-driven leads for your business.

Two-Stage Roll Out

Rather than “switching on” the security warnings all at once, Google will be rolling out the change in two steps.

First, Chrome will remove the green icon signifying safe websites from browser bars. In its place, they will temporarily leave the small lock icon in its place.

Then, beginning in October, Google will introduce the official red icon identifying sites that are “Not Secure.”

This latest warning from Google gives webmasters plenty of time to make the switch, but I advise taking action sooner rather than later. You can get started right now with Google’s HTTPS set-up guides here.

Do you have a search box or form on your website? Are you still using HTTP for your site? If so, you may want to begin the process of switching to HTTPS sooner rather than later.

Google says it is preparing to launch new efforts within their Chrome browser to encourage webmasters to migrate to HTTPS, the newer, more secure security certificate for websites. Beginning I October, the browser will begin showing warning messages to visitors on pages with search boxes or forms.

As Google says, “[in] October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

You can preview what the warning will look like in the gif below:

 

The warnings are just the latest effort by Google to encourage the adoption of HTTPS. Just recently, Chrome warned webmasters that pages with logins are now required to use HTTPS.

The end goal for Google is to mark any web page using HTTP as insecure, but it could be a lengthy process.

Negative SEO alert

There’s a new malicious SEO tactic making the rounds and your Google My Business listings could easily be the victim, according to web security company Sucuri. The company says individuals are sneaking inappropriate or damaging photos into GMB listings with the intent of damaging a business’s reputation and image.

What makes this type of exploit unique, however, is that it doesn’t take any hacking skills to do. Unlike other negative SEO tactics, this specific technique does not include hosting images on a client server, malicious code, or even breaking into an account.

Ultimately, the attack is taking advantage of Google’s lax rules for uploading photos to a business’s location in Google Maps. Anyone can upload images to a business’s listing, and any of these images can be used for Knowledge Graph data about the business.

While Sucuri doesn’t have evidence of this, it is possible for a person to spam a business’s listing with lewd images and then send fake hits to them to increase their perceived popularity – all with the end goal of making sure they come up when people see your business online.

How to Protect Your Listings

Unfortunately, the nature of this type of attack makes it difficult to guard against. There is no way to limit who can upload photos to your listings or determine which image gets used in Knowledge Graphs. The best you can really do is to actively keep an eye on your listings and which photos are appearing next to your listings.

You can also watch to make sure no one is uploading inappropriate pictures to your Google My Business photos. While you can’t stop people from uploading lewd images, you can easily remove any associated with your location.

ad quality lookback

Every year Bing likes to highlight its efforts to keep the web safe with its “Bad Ads Report” and this year shows that the endless war against online scammers and hackers has remained largely consistent recently.

Despite constant efforts to derail the malicious actors on their platform, tech support scams and purposely misleading ads remain the biggest problems on Bing Ads. The company blocked over 15 million ads for running tech support scams alone.

Overall, Bing says it has rejected over 250 million ads in the past year, as well as blocking 50,000 sites, and banning 150,000 ads for breaking their guidelines.

Considering Bing’s trademark usage policies are relatively loose compared to competitors like Google, it comes as a surprise that the company says it dismissed more than 50 million ads in 2015 for trademark infringements.

The rest of the report is less surprising. Phishing attacks remain a relatively minor issue, and pharma and counterfeit goods are still being delisted by the hundreds of thousands.

Find out more from Bing’s ad report here.

banner-1000935_640

Google is continuing its efforts to combat online display advertising fraud, with new defenses against a scam technique known as clickjacking.

If you’ve ever tried to press play on a video, open a link, or start a song and wound up on another page unexpectedly, clickjacking is most likely the culprit.

This is done by overlaying an essentially transparent layer over a legitimate web page. This way everything looks normal, but as soon as you try to take any form of action you trigger a behavior on the transparent overlay. The action may be used to trigger one-click orders from Amazon, take you to malware-laden sites, gain Facebook or Twitter likes, commit ad fraud, or any number of malicious behavior.

To fight back against this, Google is removing publishers engaged in clickjacking from its network entirely. The company has also developed a new filter specifically to exclude invalid traffic on display ads from clickjacked pages on both mobile and desktop.

In a blog post about the new efforts to fight clickjacking, Andres Ferrate, Chief Advocate of Ad Traffic Quality at Google, explained:

When our system detects a Clickjacking attempt, we zero-in on the traffic attributed to that placement, and remove it from upcoming payment reports to ensure that advertisers are not charged for those clicks.

Twitter Banner

Google made big news earlier this year when it declared it would favor sites that switch to HTTPS, and now Twitter is taking a similar path. A member of Twitter’s development team published a thread on the Twitter Community forum explaining the company’s future plans for HTTPS and setting a deadline for the company’s switch the HTTPS.

Starting October 1st, Twitter will begin utilizing HTTPS for all new outbound links, meaning any new link you share will be packed in “https://t.co”. This way Twitter can securely send users to their intended destination, even when the destination page is not an HTTPS link.

Similar changes have been made by popular sites such as Reddit and Wikipedia, however in those situations the sites began using HTTPS site-wide.

This will also have the added side effect of increasing URL lengths in the future, depriving you of one more character to write with when sharing a link.

This also causes issues with tracking referral traffic to non-HTTPS sites, as Twitter explains non-HTTPS sites may see an apparent decrease in referral numbers.

“Web browsers drop the Referer header from a request by default when downgrading from an HTTPS t.co link to an HTTP destination in compliance with the HTTP specification for the Referer header… Based on our estimates you may see a 10% drop in traffic attribution from Twitter as a result of this security change.”

The company also warns that sites will see a steady decrease in referral traffic recorded from Twitter in the future, as users update to the latest browsers that support this policy.

Examples of injected ads ‘in the wild'

Examples of injected ads ‘in the wild’

A new study from Google and the University of California, Berkeley and Santa Barbara has found that over 3,000 advertisers have been the victims of ad injection software, including major brands such as Sears, Walmart, Target, and eBay.

Ad injectors have long been a boon for webmasters, as the troublesome and occasionally malicious programs insert unwanted ads into web pages costing publishers in ad revenue and causing advertisers to pay for traffic from ads they never intended to buy.

The study exposes a network of companies that profit from and facilitate these unwanted ads and to show just how widespread the issue is. Google says it has received more than 100,000 complaints from users about ad injectors since just the start of this year.

Ginny Marvin from Marketing Land thoroughly breaks down how ad injection works:

The ad injectors comes in the form of browser extensions and software applications that infect a user’s browser. Google found more than 50,000 browser extensions and 34,000 software applications that had hijacked user’s browsers to inject ads. In nearly 30 percent cases, the software bundles were “outright malicious”, not only injecting ads but stealing account credentials, hijacking users’ search queries and reporting user activity to third parties for tracking purposes.

Google found the ad injector software being distributed onto users computers by 1,000 affiliate businesses, including known adware browser extensions, Crossrider, Shopper Pro and Netcrawl. These companies aim to spread as many ad injector software downloads as possible in a number of ways, including bundling their applications with popular downloads (who hasn’t fallen victim to the pre-checked box for an add-on during a software download?), blatant malware distribution and extensive social media campaigns. They then collect affiliate fees when users click on injected ads.

The ad injectors get the ads from about 25 ad injection library companies such as Superfish and Jollywallet, which in turn source and target ads from relationships with a handful of ad networks and shopping programs. It’s these libraries that pass on a fraction of the profits to the affiliates.

Google found that 77 percent of all injected ads originated from just one of these three ad networks: Dealtime.com, Pricegrabber.com and Bizrate.com.

This network is massive for even the most sophisticated spam and shady marketing systems. Google used a custom-built ad injection detector on Google sites and found that 5.5 percent of unique IP addresses (representing millions of users) accessed Google sites that had some form of injected ads.

Don’t think your Mac is safe either. Google also saw that 3.4 percent of page views on Apple machines and 5.1 percent on Windows machines showed clear signs of ad injection software.

To combat the problem, Google says it has taken down 192 deceptive Chrome browser extensions from the Chrome Web Store and instituted new user protections to prevent similar extensions from making it into the store in the future.

The full report will be presented later this month at the IEEE Symposium on Security & Privacy, but you can read Google’s announcement of the study results here.

Google is in the process of rolling out a new hacked page classifier which puts a notice below sites in the search listings believed to have malicious code or other hacking issues. The only problem is, many webmasters are reporting getting labeled as hacked incorrectly.

Yesterday, Google’s John Mueller acknowledged that a small number of sites are being mislabeled in the search results, which is obviously discouraging to anyone considering clicking on the link.

You can tell if your site is affected by simply searching for your site on Google and seeing if a small blue text appears below the title tag reading “This site may be hacked.” If you don’t see it, you’re in the clear. On the other hand, if you’re seeing that line it means your site has either been mislabeled or really has been hacked.

Mueller suggests having someone experienced in working with hacked sites to review your site to ensure there are no problems. If they give your site a clean bill of health, you will have to notify Google.

This Site May be Hacked

The search engine says to fill out this form if you believe your site is mislabeled as hacked. Once it is submitted, someone at Google will review it and remove the label if they also find no issues. There is no indication how long it will take Google to review your site and remove the label, especially with the number of sites reporting the problem.

For more information on resolving issues with hacked sites, see Google’s best practices.

google-security-360A few weeks ago, Google announced they would begin favoring sites who switch to HTTPS in search results. At the time of the announcement, most of the SEO community was skeptical at best and few believed the HTTPS ranking factor would have any effect on rankings whatsoever. Well, it has been a couple of weeks and we have the verdict.

The skeptics were absolutely right.

SearchMetrics decided to evaluate whether HTTPS had any discernible effect on search results of any form. According to Marcus Tober of SearchMetrics, there is no data to prove HTTPS has any effect on Google rankings after the launch of the ranking factor.

In a nutshell: No relationships have been discernible to date from the data analyzed by us between HTTPS and rankings nor are there any differences between HTTP and HTTPS. In my opinion therefore, Google has not yet rolled out this ranking factor – and/or this factor only affects such a small section of the index to date that it was not possible to identify it with our data.

Tober shared his data along with his report, and it all matches all the anecdotal evidence available as well. Site owners across the web rushed to update their site to the new favored HTTPS, but there is nary a single story I could find suggesting it had any ranking influence at all.

At the time of the announcement, Google did suggest that switching over could possibly influence rankings, but they also called it a “very lightweight signal” so there’s no need to grab your pitchforks. But, these results may have some lessons for those who were expecting and easy and quick ratings boost with minimal work.

Source: The Search Guru

Source: The Search Guru

Matt Cutts has been urging webmasters to use strong encryption measures on their sites for quite a while, and he has hinted that one day Google may start rewarding those sites in their search results. Google has remained mum on the issue entirely, but there are rumors swirling that Cutts is doubling down and pushing for an algorithm update that would favor secure sites within the company.

At the SMX West conference, Cutts explained why the search engine would benefit from favoring encrypted sites by saying that it would save Google a large amount of time when new security panics occur. According to Time magazine, Cutts is quoted saying, “We don’t have the time to maybe hold your hand and walk you through and show you exactly where it happened.”

It is unclear if these types of changes are likely to be made any time soon, as most sources seem very skeptical. But, in the wake of Heartbleed, one of the most widespread security exploits in history, now would be a reasonable time to increase security guidelines and protocols.