Tell HN: Google returning 'Untitled' results that redirect to malware/spam
Google deleted a support thread posted 3 days ago about this issue [0]. There are a few comments on a HN thread from yesterday [1] which mention this issue as well. A reddit thread is active on /r/google about this issue [2].
Something seems to have gone wrong at Google to allow so many fake results to pollute so many different search queries. There have been many discussions on HN lately about how the quality of Google's search results have gone down, but until now I've never seen them become a massive influx of possibly malicious spam.
[0] https://support.google.com/chrome/thread/147896848/i-have-untitled-google-search-results-on-almost-everytging-and-it-redirects-me-to-malware-website?hl=en-GB
[1] https://news.ycombinator.com/item?id=30086059
[2] https://www.reddit.com/r/google/comments/seio29/is_anyone_else_getting_these_untitled_google/
102 comments
[ 3.0 ms ] story [ 175 ms ] thread8 of 10 look actively malicious. 6 of 10 are "Untitled"
Image: https://drive.google.com/file/d/11O1_awYptJ9mKzn-w9T45fpNPj4...
----
This is unusual and has been happening regularly for me over the past week
----
EDIT: This isn't malware. Reproducible on my phone.
This is based on my Google account, my dev-based account returns the majority of results as malicious. My personal account returns relevant results.
https://i.imgur.com/t7JPARg.png
Looking at some of the results from your screenshot more closely, they appear to be hacked Plesk[0] sites like geocrasher describes here: https://news.ycombinator.com/item?id=30117918
[0] https://www.plesk.com/
Hit the drop down error to the right of the shortened url to see the cached page.
`update-rc.d command not found`
`baselayerchange leaflet react`
`gnome-disks permisions denied`
`chart.js more points than labels` <-- this one has two untitled results, but only one of them redirects to a spam site
Google is notoriusly bad add respecting my browser language. I more often than not get the login page in languages different than my browser language. (I only log in when I really want to use some personal service, which is not that often).
For what little it's worth, aside from some schadenfreude, it didn't pull up the spam link on DDG. ;)
http://webcache.googleusercontent.com/search?q=cache:WdHknYu...
This is an HTML page on a WordPress site. A hacked WordPress site. It's SEO spam and is rather successful. It's not a proper page and so has no title, but has all the keywords for a search and a bunch of links at the bottom that it's trying to rank higher for whatever search.
This isn't Google's fault necessarily but rather there are compromised WordPress sites out there that look fine to the owner, but when the referrer is Google, or the user-agent is the google bot, the website produces different results than if a human is viewing it.
There is an official Google publication on this phenomenon that was published a really long time ago, but I'm unable to find it anywhere. Would anyone reading this perhaps know where to find it?
https://webcache.googleusercontent.com/search?q=cache:cNRRR8... (archived: https://archive.is/V6963)
The query is "blaze sql sql", but I don't see results like those now.
[1] https://news.ycombinator.com/item?id=28635313
Regardless of these issues being related or not, Google definitely don't care as much about the quality of their products as they did 10 years ago.
Good riddance, big-G can't seem to stop fucking themselves over with regard to user trust at this point. It must truly be a royal mess on the inside, because the growing cracks are very publicly visible.
Edit: It looks like today they announced the reversal of their stupid plan to take away the legacy g-suites? https://techcrunch.com/2022/01/28/google-will-let-legacy-g-s...
Shrug, all the back-and-forth still signals a huge cluster bomb on the inside. Everyone just wants promo.
See also: https://news.ycombinator.com/item?id=30114343
It's sad to see what the benevolent mission of "help the world organize it's data" has devolved into. Instead of growing into something pretty, it's becoming more and more petty- nickel and diming us to the max, even when they're already making boatloads of money.
There is no end to The Greed.
Now that everyone is locked in, the anti-spam efforts can be pared back, since nobody gets promoted in Google for doing their job well. Only for inventing a new job to do.
But how hard can it be to continue flagging obvious spam? I agree that flagging real email as spam can be harder to avoid, but the number of patently clear spam going to the inbox is beyond ridiculous.
I also dont understand why MS need a system in MS Edge (SmartScreen) which blocks you from accessing a website, yet the link to the website appear in the bing results, you would have thought Bing and SmartScreen would use the same data!?!
The only other thing I would check is that your system hasnt been hacked are you are seeing a Man In The Middle attack ie a fake google website and search results directing you to malicious websites via the search results.
Lets face it, how do you tell you are on the correct website and not some MITM website? Security certs dont tell you anything if the certificate company has had their root certs stolen or duplicated under a court order.
It does seem consistent with the big tech pattern of stalking, and coercion through dark patterns.
Edit - it's possible that they don't store which domain names files are downloaded from and only store binary file hashes, which would be another explanation for Bing not knowing the site is bad.
What's worse is recently I searched for home depot, clicked on the top result (an ad), that clearly listed the destination URL as homedepot.com. Ended up with a malware site with multiple pop ups claiming I had a virus and had to install some plugin to fix things.
Feels quite a bit like yahoo used to: sketchy ads, malware, spam, payroll loans, etc.
If DKIM, SPF, or DMARC record validity, or even past conversations don't matter for deliverability, what does? I'm beginning to think even Google doesn't really have these types of answers anymore.
https://news.ycombinator.com/item?id=30078971
Look, I think of myself as a decently smart guy, not a sucker, etc. But at 2am when exhausted from moving and just wanting to check something off a list...I got got.
It was my mistake. I trusted Google. Google's top result took me to one of the thousands of identical copies of the official USPS change address forms that charge $49. Could have been worse, I guess.
Does anyone have an explanation for this? I've heard such claims before, but I'd like to see it to believe it. I could perhaps imagine yet another unicode "feature" (non-printing characters or some very subtle combining characters or a font variant?) being abused for this. On the other hand, part of me wants to believe that despite all their failings, there's no way Google wouldn't have thought of that and prevented it. Right?
EDIT: Somewhat recently I tried to find out if this is true after someone claimed they had had a legit URL lead them to a phishing site, but the only juice I found is the same old: typo-squatting. Just now showing up in big G's results. Apparently e.g. homedopet.com leads to a site that uBlock doesn't want me to visit (badware risks). On the other hand homedepet.com and homodepot.com took me to the right site.
The home depot search result labeled as an "ad", but shown inline, with an easy to miss small gray font mentioning the URL. Much like if you search for ace hardware now, I did notice that home depot searches no longer shows an ad.
I normally have zero plugins enabled, but I did discover I had a keybase plugin installed, from before zoom bought them. I've since disabled it and am considering a reinstall.
The URL it sent me to was: http://34.220.130.1/window-security-alert/werrx01/, which at the time worked (visit at your own risk). But I tried it just now and it now triggered a chrome warning about "Deceptive site ahead".
It's gotten very frustrating in the last year or so. I barely leave "Verbatim" mode (and hate that it's so many clicks each time to activate it). But with or without that, I frequently have the situation where I search for something very specific and technical, just to get pages of pages of search results for sites that have names similar to "techgeekhowto", telling me how to reboot my Mac. It's maddening.
Disclaimer: DDG user mostly.
I'm looking into the thread deletion, but I believe anyone who starts their own thread can delete it. That aside, as I shared elsewhere here, this is spam, not malware. We appreciate the reports and apologize our spam systems weren't doing a better job. We're working to improve that now.
I have no idea how you could possibly fubar that up. No idea what is going on with Google's spam handling.
The commonality is that they seem to keyword stuff obscure keywords and even phrases (possibly by randomly brute forcing or re-combining text fragments into synthesized sentences.) and they all redirect one or more times, prevent the back button from working and land on some kind of suspicious page that is almost certainly hosting some kind of malware. The only way out is to close the tab and start over. I'd imagine things would be much worse without ublock installed.
The cynic in me can see good reasons for both Google and Microsoft to be okay with this.
If I don't add 'GitHub' it likely won't show up, and if I do there is no guarantee either.
This never happened in my life until the past two months. Some many things are very wrong right now.
These initially seem fine, and it’s only when you repeatedly search the same topic that you notice the stolen content. You can tell the legit site by having bylines, references, and fewer ads.
Google seems to weight them the same, which is near malicious: it has the history to show primacy.
You can press and hold the back button to reveal a list of previous urls. Useful to evade forced redirect like this because you can "jump" directly to the last google search url.
And speaking of tension, HN is clearly of two minds here. We have this article and we have "Google de-indexed my site [[that I didn't realize was hosting malware]] for no reason!" outrage parties.
It could also be local malware - cross checking between users would be a good test for this.
This isn't malware. Reproducible on my phone.
This is based on my Google account, the majority of results for my dev account are malicious.
I've also recently been trying out Kagi (invite-only beta, will eventually be a paid search engine), and I've so far been extremely happy with their search results. I'm a bit uncomfortable with it; since it requires a login, they can easily tie search history to you even if you use private browsing or a VPN. (They claim they don't do this, but I'd rather not have to trust.)
For mobile search, unfortunately, it’s not there yet - Google has such a commanding lead in POIs, opening hours and the like.
sites like newspapers, SO, wikipedia, and even twitter, which have active moderation of all content, can stay ahead of this in a way that platforms can't
we all assume that 'only ads above the fold' is intentional by goog to bolster failing margins, but what if it's a problem they can't fix because their tools have outgrown their quality control?
in 2012 google thought the indexing algorithm was its immune system, but today it's the site of infection. (maybe it always was)
https://www.nature.com/scitable/knowledge/library/dynamics-o...
> Parasites with complex life cycles require two hosts; in some of these systems, prey function as intermediate hosts for the parasite, with predators acting as primary hosts. Parasites can manipulate the behavior of the intermediate host to make transmission to the primary host more likely.
not sure who is who in this metaphor
Edit:// they are localized! I just checked on my phone which uses German Google and it says 'Ohne Titel' (so without title)
Actually, you can go ahead to such a spam page and view the index.html page of the current folder and what you will get is an HTML file with PHP code, which is not interpreted by the PHP interpreter, because the file has a dot HTML extension.
In the script, you can see from where the script fetches the displayed data and from which IPs the data is requested and received.
I copied such an index.html file into a gist: https://gist.github.com/devidw/ce2bdb78bb2e30a8e8437acc2c587...
I also wrote a blog post about the details of what is happening in the PHP script: https://david.wolf.gdn/google-untitled-links-i-found-the-sou...