Malware/Phishing Indicators
Critical SeverityWhat This Check Measures
This check identifies whether a website is potentially malicious, including:
- Known malware distribution sites — Sites flagged by Google Safe Browsing
- Phishing attempts — Fake login pages designed to steal credentials
- Typosquatting — Domains that mimic legitimate brands (e.g., "gooogle.com")
- Suspicious URL patterns — Obfuscated payloads, redirect chains, tracking IDs
- Suspicious TLDs — Domains using high-risk top-level domains like .click, .download
Why It Matters
Malware and phishing sites can:
- Steal user credentials, credit card numbers, and personal data
- Install malware, ransomware, or spyware on visitors' devices
- Damage your reputation if your site links to malicious content
- Result in search engine blacklisting and browser warnings
How Data Is Obtained
Source File
src/checks/safety.check.js
Functions Used
SafetyCheck.analyze(url)— Main entry pointdetectPhishingIndicators(url, hostname)— Heuristic pattern matchingcheckDomainReputation(hostname, url)— Domain analysis
Inputs
- url — The full URL being analyzed
- hostname — Extracted domain name via
new URL(url).hostname - response.data — HTTP response body (for keyword analysis)
External Services
| Service | Environment Variable | Purpose |
|---|---|---|
| Google Safe Browsing API v4 | GOOGLE_SAFE_BROWSING_API_KEY |
Check against Google's malware/phishing database |
Libraries
axios— HTTP requests to Google Safe Browsing API and target URL
Detection Methods
1. Google Safe Browsing API (Primary)
If GOOGLE_SAFE_BROWSING_API_KEY is configured, the check queries Google's threat database for:
MALWARE— Sites distributing malicious softwareSOCIAL_ENGINEERING— Phishing and deceptive sitesUNWANTED_SOFTWARE— Potentially unwanted programsPOTENTIALLY_HARMFUL_APPLICATION— Dangerous mobile apps
2. Phishing Pattern Detection (Fallback)
The detectPhishingIndicators() function checks for:
Obfuscated Payloads
/\/[A-Za-z0-9+/]{50,}={0,2}($|\?|\/)/i
Long base64-encoded strings in URL paths or query parameters
Suspicious URL Patterns
- Click/download redirect domains:
.click,.downloadTLDs - Tracking parameters:
click_id,zoneid,landing_id - Phishing keywords:
verify,confirm password,urgent action - IP addresses instead of domain names
- Redirect URLs:
/redirect?,/click?,/out?
Typosquatting Detection
Checks for misspellings of major brands:
/goog+le/i— Multiple 'o's or 'g's/faceb+ook/i— Extra letters in Facebook/amazo+n/i,/microso+ft/i,/paypa+l/i
3. Domain Reputation Check
The checkDomainReputation() function flags:
Suspicious TLDs
.shop, .click, .download, .stream, .trade, .site, .online, .website, .app, .store, .host, .cloud, .work, .top, .bid, .faith, .review, .tk, .ml, .ga, .cf
Red Flags on Suspicious TLDs
- Random character subdomains
- Generic financial brand names (bank, crypto, wallet, trading)
- Multiple subdomain segments
- Numeric tracking IDs in query parameters
Status Values
| Status | Meaning |
|---|---|
| fail | Malware, phishing, or suspicious patterns detected. The site is potentially dangerous. |
| info | No threats detected, but full malware detection requires Google Safe Browsing API integration. |
| error | The check could not complete (e.g., API failure, network timeout). |
Severity: Critical
This check has critical severity because:
- Malware can immediately harm users visiting the site
- Phishing directly leads to credential theft
- User safety should never be compromised
Impact on Category Score
Special Rule: Score Override
If malware or phishing is detected (status === 'fail'), the entire Safety & Threats category score is forced to 0, regardless of other check results.
if (malwareFlag) {
score = 0;
}
return {
category: 'Safety & Threats',
score,
malwareDetected: malwareFlag
};