Malicious software: why Google shows this error?

Malicious software: why Google shows this error?

As an arbitrage techie to the bone, who single-handedly created the AlterCPA Pro affiliate network engine, I have a deep understanding of processes. I often laugh at how affiliates perceive and try to solve problems, creating another cargo cult. Myths on one of these problems I will destroy today.

Let’s analyze the big headache of almost all affiliates pouring gray verticals from Google using landing pages in their bundles. Almost everyone who works with crypto, nutra, and the like has experienced the death of their advertising campaigns due to the “Malicious software” error. If you go to a site marked with this error, you can sometimes even run into a red screen with a huge inscription in the spirit of “Beware, dangerous site!” – you can not even dream of leads from this resource.

Yes, it hurts unbearably. And in most cases, the arbitrator will blame the cloak. Judge for yourself, he no longer uses any software! Is it logical that Google swears at cloaker? For an affiliate who is not versed in technology, perhaps yes. But for any techie, the answer is unequivocal: no, it’s not logical. But to escape from such a scourge is easy.

How did the “Malicious software” error appear?

It’s time to dive into the wilds of history, when the world of promoting rules is not arbitration, but good old SEO!

The mistake arose as a phenomenon back in the distant 2000s, when half of the arbitrageurs were not born at all, and the other half only learned how to make syllables from letters. One of the popular ways to “make money” in those fun times was hidden hacking of sites in order to take some of their traffic from them.

These hacked sites, where unknown game happened to visitors, Google began to mark with an error “Malware”. The goal of the corporation of good was one – to protect the user. What exactly does a hacked site do to the user’s eyes, nerves, wallet, and computer? It is not always clear, this is Russian roulette. It is more reliable to throw an error and protect traffic from negative experience.

Hacked sites are still found by Google algorithms by several triggers. The whole secret to living happily without the ill-fated mistake is to avoid these markers. Now let’s figure out why exactly Google gives the “Malicious software” error and how to prevent it.

Reason 1. Suspicious JavaScript

This is the most popular reason Google triggers and tags websites. Fraud through uploading your JS to someone else’s site is one of the most popular. It is enough to replace everyone’s favorite jQuery by adding only a couple of lines somewhere in the middle of a huge library – and part of the traffic from the necessary pages will run away where the “hacker” says.

Not all traffic leaves, but only a part, so that the mammoth (site owner) does not see the problem for as long as possible and does not understand what is its cause. Sometimes even Google Webmaster did not specify which file the worm had crept into. As a result, Google has been frantically checking all JS for more than a decade, trying to find patterns in them that are responsible for a sudden redirect to a third-party site or intercepting form submissions.

There are two ways to prevent:

  • Simple (for smart people). Try to make your whites without using any third-party JS libraries. I advise everyone to take a closer look at the masterpiece of the modern front-end – the divine VanillaJS framework!
  • Alternative (like hipster milk). Replace all libraries stolen from the original site with their latest versions from the manufacturers. In this case, in no case do not use links, be sure to download the file directly to your site!

Reason 2. Server-based redirects

For this reason, Google marks sites when white is local, and black users are thrown with a server redirect. It is very easy to get burned – the same Chrome will easily notice the pattern and send an abuse to Big Brother.

Google began to punish redirects after an old hacking scheme, especially popular with WordPress sites. After the site was hacked, the .htaccess file, which is usually responsible for parsing paths, was replaced. Instead of the desired page, the visitor got to a smart link and flew away to such distances, where he was monetized in the most dirty way.

Large teams were created that made money by transferring people to a third-party site. So that the owner of the site and those who follow him did not see the problem for as long as possible, the traffic to transfer to another site was selected according to patterns in user agents. Patterns were chosen such that the owner of the site would most likely not have.

In those days, there was very little mobile traffic and usually no one bothered, but simply took all the mobile traffic through a redirect. People were transferred to WapClick subscriptions or doorways made for the same WapClick.

The alternative is a user agent, which is characteristic of leaky browsers or other perversions that were extremely rare. In this situation, a person was most often thrown to a hotbed of viruses, ideally suited to the “technological holes” in his browser. Or in leaky Windows, because our visitor so diligently turned off updates to it.

How not to get a “Malware” error for redirects? Again there are two solutions:

  • Store black on the same hosting as white, directing traffic there without a redirect. As an option, load the contents of the black by the link with base href change. But this method is not suitable for large resources in gambling, betting or dating verticals.
  • Redirect through an intermediate page with a neutral caption. The best option is to write on it about checking the browser or cookies. This does not match the hacking pattern – the visitor first sees a normal page and only then the redirect occurs.

Reason 3. Hidden doorway

Such a hack was one of the most dangerous, since it is virtually impossible to trace it. The owner of the site found out that a doorway was made from his offspring only after receiving sanctions from the search engine.

On the hosting where the site was located, daddy was simply created with thousands of pages under the “hacker” offer. We placed this folder in the depth of wp-content or similar repositories of pictures and files – no one will be surprised by the large size, and it will be lost against the background of dozens of pictures.

At the same time, there is not a single link to them from the original site, but they constantly link back. The search engine considers this another stupid mistake of the developer and eats the entire doorway as part of the site.

Google defines such a fraud according to a very simple scheme – it looks at the correspondence of the site’s pages to its main topic. An abrupt change in the theme of the site is like a red rag for a bull and a reason to hang up a red page.

In modern arbitrage, it is rather difficult to get a “Malware” error on suspicion of a doorway, but it is possible – just take a domain with mileage. Previously, the search engine indexed it as a site about flowers and cats. And then suddenly there is content on a completely different topic with pussy creams and investments in Elon Musk’s platform.

For the sake of “white quality”, some affiliates restore its old pages from WebArchive on the domain. Here Google will not even think or doubt – it will immediately decide that it is the same doorway in front of it.

The solution is simple – do not take domains with mileage (except when they contained pages of the target topic) and, moreover, do not restore old pages for “trust”.

Reason 4. Cloak

The reason is as rare as a sober arbitrageur at the conference, but it exists! In the vast majority of cases, the cloaker has nothing to do with the malicious software error at all. But there is one exception.

It arises only in the case when the arbitrage specialist got drunk with a set of substances known to him alone and decided that he was arbitrator Chuck Norris. This is where he started cloaking through JavaScript. Using a primitive script with a redirect directly on the website. We immediately get a combo of two points for which Google wants to ban everyone – both the crooked JS and the redirect. Is the cloak to blame? Or the hands of an arbitrator?

The solution is simple – do not blow the bottle do not cloak via JavaScript, there are many more adequate ways. The cloaker should always work at the server level and never show bots even a couple of lines of its code, no matter how clean they may seem at first glance.

Reason 5. Hacked hosting server

Now such cases have become very rare. But they still occur now, if the bingo is collected from the factors. On the server where the site is hosted, there are a bunch of hacked sites, spam was sent from the hosting IP or any other disgrace happened.

As a consequence, the IP is unrealistically compromised and Google can mark the address of the server and all the sites that live on it. Just in case, he introduces strict quarantine, because no one knows which sites are infected and which ones are still on the defensive.

The solution to this issue is the simplest and is used by almost everyone and always by default, which makes the problem rare. It is important to use CloudFlare, DDoS Guard or equivalents so that the site IP does not match the hosting IP and falls into any trust base.


The “Malicious software” error appears for quite understandable reasons. Avoiding it is very simple – do not trigger Google for how much in vain. If the mistake got out – blame your crooked hands, and not the cloaker, which just stood nearby.

Arbitrageurs, like true followers of the cargo cult, believe in the great power of Google neural networks and look for errors where there are none. Cloak is not the thing to blame. Your whites are to blame. Always.

I hope that at least a couple of thousand arbitrageurs who read this material will no longer kill their ads and nerves because of a simple label. And for those who want to work with the cloak created by the arbitrage tech guru, take a look at my AlterCPA One.