The first Google search result often leads to a virus

Topic

New Reply

ISSUE 18.39 • 2021-10-11 PUBLIC DEFENDER By Brian Livingston The top search result in Google is all too often a link to a website that’s been hacked t
[See the full post at: The first Google search result often leads to a virus]

13 users thanked author for this post.

windbg, mpw, wdburt1, AlexEiffel, lmacri, Mr. Natural, OscarCP, Charlie, DLivesInTexas, Sueska, abbodi86, klang, Alex5723

Reply | Quote

Replies

• Make Windows display file extensions, so you don’t click .js files posing as PDFs.

Windows Vista and later versions hide file extensions by default. With just a few clicks, you can force File Explorer and other programs to display these extensions, as explained in a CNET article.

How about an article ridiculing/shaming Microsoft for sticking with this default for so many years now?  Hiding file extensions is absurd.  (Then again, so is hiding parts of URL’s and disabling status bars in modern browsers). Perhaps some Luddites are confused by file extensions, but those hidden extensions come up time and again as an open door for malware to use as an easy entry point.

Those of us that know and care change the defaults, but the vast majority of users don’t even know that they should.  Thanks to Microsoft, far too many of those users become infected.  If their system just gets encrypted, then it’s just their problem.  But if their system becomes part of a botnet, many others can suffer as a result.  🙁

 

Reply | Quote

Linux doesn’t even add the extension to .txt files. And what about hiding System Files and Directories? Or not showing file attributes by default? So Windows is not alone in hiding extensions and other elements which can identify files and directories. Sometimes end users have to do some work to make an OS interface safer. And no, newbies won’t know or even care about these “details”.

-- rc primak

Reply | Quote

I use the duckduckgo search engine.  I submitted the Google queries you used in your article to duckduckgo.  The results list for the manual were different from yours, but still contained some very sketchy links within the top six.  I did not try following them.

Surprisingly, the party wall search yielded what appears to be the exact same result in the top position (except that the text excerpt is different).  Clicking on it yields the exact same website (a bogus forum) as shown in your case.

You say that Google is the only search engine that’s being targeted.  Does this not seem to indicate that that is not the case, and that other search engines also need to clean up their act?

Bret Sutton

1 user thanked author for this post.

OscarCP

Reply | Quote

Under the hood, DuckDuckGo is using the Google search engine. They just strip away most of the Google tracking and targeted advertising features.

-- rc primak

6 users thanked author for this post.

mshunfenthalaw, mpw, windbg, SueW, OscarCP, Charlie

Reply | Quote

You are totally correct.

The keyword here is “…they strip away most of…”.

1 user thanked author for this post.

mpw

Reply | Quote

thanks Brian – great article.

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2

Dell Laptop - Inspiron 15 11th Generation Intel(R) Core(TM) i5-1135G7 Processor
Edition Windows 11 Home
Version 23H2

Reply | Quote

“It would be better to notify the operators that their hacked sites will be removed from search results starting today, until the affected servers are clean.”

I remember a few years back, AskWoody got blacklisted by either Google or one of those AV company advisory services, when the site got infected with a single-pixel piece of malware. It took months of bickering and untold money to find and clean up the malware, and to get Google to reinstate AskWoody in their search results.

This is not an ideal approach. Sorry, try again.

As for “don’t use Google”, that’s really like saying “use Linux”. If enough people shift to another provider, that provider becomes the new target of choice. And a vicious cycle results. “Security through obscurity” only works until the alternatives become popular.

(In the Linux example, there may be some (temporary) real security benefit, if new Linux users know and implement “hardening” techniques which are not turned on by default in Linux. But that’s beyond the scope of this thread.)

-- rc primak

2 users thanked author for this post.

OscarCP, Sueska

Reply | Quote

Two days ago I searched in Edge for ‘offline malware scanner’ on a newly-provisioned Windows 10 install.

Like anonymous above – I noticed several of the top few search results returned were all very suspect ads.

I don’t think the problem is confined to Google at all.

6 users thanked author for this post.

PDX5802, AlexEiffel, doriel, OscarCP, Sueska, rc primak

Reply | Quote

Ever tried searching Google for Malwarebytes? The top return used to be a malware fake AV. (I believe that’s been fixed for some time, but it’s not the only such ironic example.)

-- rc primak

Reply | Quote

rc primak wrote:

Ever tried searching Google for Malwarebytes? The top return used to be a malware fake AV. (I believe that’s been fixed for some time, but it’s not the only such ironic example.)

Two days ago… the top 3 results in Bing after search for malwarebytes free…

Click on image to enlarge

Reply | Quote

Any examples? Are you sure you’re not using Google from Edge? I just did that search (offline malware scanner) in Bing from Edge and didn’t get any suspicious ads.

Reply | Quote

I tried hard but wasn’t able to reproduce your results for both searches using Bing in Edge, even after disabling ad and tracking blockers (and also trying from an InPrivate window, and from my Android phone).

But what is suspicious about those ad results anyway? As an example, the third result in the first search, which is the same as the second result in the second search:

https://www.antivirussoftwareguide.com/anti-malware

Anything suspicious about that site? Anything there that’s dangerous like the javascript download from the top Google results in the article?

Reply | Quote

b wrote:

Anything suspicious about that site? Anything there that’s dangerous like the javascript download from the top Google results in the article?

From its Advertising Disclosure page:

In order to keep this website free to consumers, we receive advertising revenue from some of the antivirus companies featured which can impact how and where products appear the this site (including, for example, the order in which they appear, additional banner advertising and site behaviour such as direct downloads).

So, it admits that its results are biased based on the the payments it receives. Would I recommend a site with such clear conflicts of interest? No, I would not.

Is it suspicious? Yes… because it purports to do one thing (i.e. report on the best) yet openly admits skewing the results. I am suspicious of its motives. 🙂

 

Reply | Quote

Rick Corbett wrote:

Is it suspicious? Yes…

Is it dangerous? No…

Reply | Quote

You asked for examples… I provided examples.

You asked whether it’s suspicious… I provided my reasoning.

You ask whether it’s dangerous… but I’m not going to indulge you any more.

Reply | Quote

I asked whether there was anything dangerous there, and although you quoted the question you didn’t answer it:

b wrote:

Anything there that’s dangerous like the javascript download from the top Google results in the article?

Reply | Quote

B. Livingston wrote:

How to protect yourself against viruses in Google search results

Don’t use Google.

I haven’t used Google for a few years, now, since I first read about their paid rankings in search results.  My Firefox browser homepage is DuckDuckGo, and one of the links in my bookmarks toolbar is Startpage.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

bbearren wrote:

I first read about their paid rankings in search results…one of the links in my bookmarks toolbar is Startpage

“In October 2019, Privacy One Group, owned by adtech company System1, acquired a majority stake in Startpage but, according to the company, its “founders may unilaterally reject any potential technical change that could negatively affect user privacy”.[”

Reply | Quote

Alex5723 wrote:

“In October 2019, Privacy One Group, owned by adtech company System1, acquired a majority stake in Startpage but, according to the company, its “founders may unilaterally reject any potential technical change that could negatively affect user privacy”

Yes, I read that too.

bbearren wrote:

My Firefox browser homepage is DuckDuckGo, and one of the links in my bookmarks toolbar is Startpage.

What I did not say is that I only use Startpage from a private window in Firefox.  It’s easy to get to from the bookmarks toolbar.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Hello, I think the article is interesting and gives good points. I would like to point out the with Firefox, at least with the 78 ESR, one can go to: HELP, “Report a Deceptive site” and send it off to Google.

If you are redirected to another site, quickly, go to: Help, Report a Deceptive site, and it will switch the site over to Google with the web address it captured. You can then give comments and send it on its way to them for review.

2 users thanked author for this post.

AlexEiffel, Charlie

Reply | Quote

What can I do to prevent this from happening on a Chromebook?

Reply | Quote

I just assume that the ads at the top of the search results are sketchy.  I don’t click on them.  I will scroll down past the ads to find what appears to be a real url for a real company that at least seems to be related to my search.  I still hover over the address to check that it matches what I think it should be.  May not be foolproof but it seems to work.

 

As far as the ads are concerned, I don’t feel like contributing to an advertising campaign, that might not be what it appears to be.

2 users thanked author for this post.

wdburt1, OscarCP

Reply | Quote

I realize that increasingly I am instinctively skipping those “ad” results, too–though based on Brian’s good article I will have to pay attention more consistently.

I increasingly inspect URL’s before opening.

And my internet computer is armed to the teeth.

What’s troubling is that I don’t see what other meaningful steps I can take to protect myself from this sudden-death malware infection scenario, day in and day out.  I use Google a lot.  As has been said above, another search engine will be targeted as soon as it becomes popular.

 

Reply | Quote

Common Sense is still usable, IF available to you!

It would be C.S. that the main URL to a company called Malwarebytes, whose main product is called Malwarebytes, is probably NOT going to be something like:

irapeyourdogstealyourstuffandhumpuranus.biz

Unless that is a new Facezuck mirror?

Reply | Quote

Is this much more likely to happen when one is looking for some kind of commonly sought after information, rather than for information on more specialized topics?

For example, is the risk of infection with malware quite different when looking for information on “current US bank mortgage rates”, versus “use of reflectometry from LEO satellites to quantify sea state”? Or does the malware echoes the key words in the title of the bogus Web page, so the topic being searched does not matter all that much?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

wdburt1

Reply | Quote

As far as I have knowledge of, it hasn’t happened to me. I was looking for advise. I have the information from the replies given to safely navigate Google searches.

 

Thanks.

Reply | Quote

Funny thing, that same question occurred to me just now but I couldn’t frame it well, so didn’t.

I have a hunch that my specialized searches might not be targeted so much.  Certainly, a dead-on-result from an unfamiliar web site would stand out.

 

1 user thanked author for this post.

OscarCP

Reply | Quote

What Brian’s article describes is malicious SEO (Search Engine Optimization), and he happens to illustrate how that affects the results on Google, because Google is the biggest target for the bad actors.

As has been illustrated above by others, this also has happened to Bing. I would venture a guess that it has also happened to Yahoo and StartPage as well, since they are search engines themselves in their own right.

As has also been pointed out above by @rc-primak , DuckDuck Go is the same as Google, but stripped of Google’s unwelcome invasion of privacy, so it can be affected by malicious SEO as well.

Basically, be careful sifting through results for searches, and pay attention to the actual URLs of the links provided by hovering your mouse over them to make sure they go where the text in the result says they go. One way to help this concept out is to have your browser display what’s called “punycode” that can make text look like one word but actually be another. @Microfix can fill in the details of exactly what punycode is more than this basic explanation.

 

Reply | Quote

Bob99 wrote:

As has been illustrated above by others, this also has happened to Bing.

No one in this thread found a malicious JavaScript file via Bing.

Reply | Quote

@Bob99 was not talking about a malicious JavaScript file via Bing but rather about malicious SEO (Search Engine Optimization) skewing search results across different search engine platforms. 🙂

Reply | Quote

No one in this thread discovered any malicious SEO via Bing either.

The article was specifically NOT about paid advertisements appearing in search results:

There’s a good chance that the user will click the Google link that shows up, because the search hit looks like a natural result, given that it’s not a paid ad or a sponsored link.

Search crimes – how the Gootkit gang poisons Google searches

Reply | Quote

Macs always display the file extension, wherever and whenever a file is listed inside a folder, or appears on the desktop, or is listed using the command line: in all cases and circumstances. Also I don’t remember the file extensions being hidden in Windows 7. So I am surprised to hear about this.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Macs always display the file extension, wherever and whenever a file is listed inside a folder, or appears on the desktop, or is listed using the command line: in all cases and circumstances.

Showing the file extension is also an option in MacOS, not the default.
Your Mac shows file extensions becaue the box was checked at some point by whoever changed it.

Reply | Quote

PK, My Mac came like this from Apple, i.e. set to show the file extensions, the day I bought it, so I did not realize that the fiddle you point out even existed.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Also I don’t remember the file extensions being hidden in Windows 7. So I am surprised to hear about this.

Woody campaigned against file extensions being hidden by default in Windows 7 for years:

woody wrote:

Yet another reason for showing filename extensions
Posted on April 19th, 2016 at 13:05 by woody

I take flak, from time to time, from well-intentioned folks who say my insistence on having Windows show filename extensions is archaic.

Take a look at this report from Microsoft that describes several Trojans and how they’re dropped in spam emails.

If the person who created the screenshots had filename extensions turned off, the telltale “.js” wouldn’t appear in the listings of zipped files.

woody wrote:

From page 3 of “Windows 7 All-In-One For Dummies” –

Click Start and pick Documents. Press the Alt key on your keyboard. Choose Tools > Folder options, then click to select the View tab. At the bottom of the Advanced Settings box, deselect the option marked “Hide Extensions for Known File Types.” Click OK.

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

Some people commented that Duckduckgo’s search results are from Google. In the past and from what I found online with a quick search, it doesn’t come from Google at all.

Maybe that is why I got frustrated with them quickly after trying it for a few days a while ago.

Excerpt from Wikipedia :

“DuckDuckGo’s results are a compilation of “over 400″ sources, including Yahoo! Search BOSS, Wolfram Alpha, Bing, Yandex, its own web crawler (the DuckDuckBot) and others. It also uses data from crowdsourced sites, including Wikipedia, to populate knowledge panel boxes to the right of the results.”

Unfortunately, I don’t find that anything else comes close to Google.

That was a great article from Brian, again.

This might be a threat that could become even worse than email because normal users have a harder time identifying those search results they looked for as illegitimate than an unexpected email.

Using SRP like someone mentioned or hardened mode in Avast or an equivalent seems like a good idea to mitigate the risk in part. Again, Microsoft, why do you keep Applocker unavailable to Home and Pro version? Security shouldn’t be an option for big businesses only in your OS, especially when it involves no costly ongoing maintenance like it is probably the case for Applocker. If you can give Defender to everyone, sure you could include Applocker.

4 users thanked author for this post.

wavy, windbg, OscarCP, Charlie

Reply | Quote

You should not be relying on your antivirus program to protect you from malicious web sites. If they are not clearly marked as ads, there should be some way to distinguish between legitimate sites and malicious or simply useless sites.

As of now, there is no sure-fire way to tell the difference between a bad site and a good one, except after you’ve been there. And don’t get me started on reputation services — it took a long, hard struggle to get such services to reinstate AskWoody after a single-pixel injection malware attack here a few years back.

-- rc primak

Reply | Quote

rc primak: “As of now, there is no sure-fire way to tell the difference between a [Web site that is a] bad site and a  good one, except after you’ve been there”

Quite true, unfortunately. The way of the world, Internet-wise, is going to turn us all into suspicious, sniffing bloodhounds seeking the scent of our possibly awaiting doom. (Phrasing purple enough for you?)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

rc primak

Reply | Quote