Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Google Analytics is an Intermediary in Malware Distribution

   26 Mar 09   Filed in General

Just checked one site that Google lists as suspicious. And here is what I discovered on the Safe Browsing diagnostic page is listed as intermediary

When I noticed the domain name listed as an intermediary for distributing malware I thought it was not a real Google Analytics.

I’ve seen a lot of malicious domains that mimics the Google Analytics address. At the first glance they are usually indistinguishable from the real address and look trustworthy, but once you take a closer look at them, you’ll be able to spot a fraud. Here are just a few items from my collection of fake Google Analytics domais: google-analysis .com, ssl-google-analytics .com, gooqle-analytics .com.

However this time it was a real Analytics domain. I double checked it by loading this address in my browser. No surprise – I landed on a real Google Analytics start page.

Safe Browsing diagnostics for

Safe Browsing diagnostics for

What’s wrong? I clicked on the link to check the diagnostics page for

This page said that was not listed as suspicious and suspicious content was never found on this site within the past 90 days. However over the past 90 days, appeared to function as an intermediary for the infection of 2 sites

Can we trust Google Analytics?

So far it’s just a couple of sites but it’s not clear if this can affect millions of other sites using this popular Google’s web statistics service. Is there any potential danger? No one wants to get banned by Google for using Google’s own service.

What happened? Has someone managed to abuse Google Analytics code and make it distribute malware? Was it just a strange coincedence or another “human error“?

It would be really interesting to hear from Google regarding this issue.

Do you have any idea?

Update: Google contacted me to say that was incorrectly identified as an intermediary.  They told me that this happens in rare cases because determining which domains are intermediaries is complex,  and they assured me that they are working on their systems to help avoid this problem in the future.

Similar posts:

Reader's Comments (2)

  1. |

    Message to Denis on his website
    Thank you for you help I really am grateful I just hope I have moved all the code from my sites so that Google will reinstate us.
    It would appear that we are the recipient of the same problem you have highlighted on your website I have been hit by this same issue as this link shows according to
    All I am interested in is getting the block on my domain removed I don’t like what the information contained in the link implies but there appears to be something in what the information is implying that there was spurious code attached to Google analytics!
    So the plot thickens I have not posted this sentiment on the forum because it would appear that Google know more about this than they are letting on to so I feel that any noise I make from now on will only make matters worse for my situation can you help me I am somewhat of a novice with regards to technical issues and with out your kind assistance so far I would not have known the other code existed. It was on every page and the templates for my site I trust I have now removed the same but as I have said I am no expert so I would be very grateful if you could tell me that our two sites are free from malware
    Thanks Leigh

    • |


      I no longer see both of your sites being blacklisted. You’ve managed to remove the malicious code. I hope you’ll be able to prevent reinfection.

      I talked with Google developers about the code on your site. Although it was a related exploit, it wasn’t the reason why Google Analytics domain was mistakenly identified as an intermediary (the reason was much more complex).

      In your case it was just a coincedence that hackers used the Google Analytics script block to attach the malicious code. This way they tried to make it harder to detect when webmasters look through HTML code.