Google flagged as suspicious website

Google flagged as suspicious website users that would like to access were unpleasantly surprised today. Google flagged the website as suspicious and users of the Google Chrome and Mozilla Firefox browsers saw a security warning when they tried to visit the website.


According to the Google diagnostic page, suspicious content was found on on October 23rd, 2013. Three domains were mentioned;,, and (owned by the same GoDaddy account) which were said to distribute malware to visitors of the site.


Was it a false positive like regular visitors of suggested in many online discussions?

After connecting to the domain the browser loads a few css files and userprefs.js from


It turned out that the javascript userprefs.js had caused the problem. As you can see in the following log,, the size of the file has changed from 2602 bytes to 5821 bytes and then to 1279 during 25 hours. That is quite suspicious behavior. The 2602 bytes version of the file was the original file with a search completion function, the 1279 bytes version is the updated file without the search completion function removed that appeared while the problem was solving. The 5821 bytes version of the file was the suspicious file that contains an obfuscated code:



After deobfuscating we get


The obfuscated code inserted an iframe with a link to The domain is suspicious and blacklisted by Google Safe Browsing. The iframe was probably the reason why the was flagged as suspicious. As I mentioned above, the javascript userprefs.jshas been replaced with the one without the obfuscated code and the website php.nethas not been blacklisted anymore.


Source and Copyright: Avast Blogs

Also visit: Avast Com Setup | Avast Support | Avast Customer Support

Leave a Reply

Your email address will not be published. Required fields are marked *