News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • The first Google search result often leads to a virus

    Home » Forums » AskWoody blog » The first Google search result often leads to a virus

    Author
    Topic
    #2395065

    ISSUE 18.39 • 2021-10-11 PUBLIC DEFENDER By Brian Livingston The top search result in Google is all too often a link to a website that’s been hacked t
    [See the full post at: The first Google search result often leads to a virus]

    12 users thanked author for this post.
    Viewing 14 reply threads
    Author
    Replies
    • #2395085
      • Make Windows display file extensions, so you don’t click .js files posing as PDFs.

      Windows Vista and later versions hide file extensions by default. With just a few clicks, you can force File Explorer and other programs to display these extensions, as explained in a CNET article.

      How about an article ridiculing/shaming Microsoft for sticking with this default for so many years now?  Hiding file extensions is absurd.  (Then again, so is hiding parts of URL’s and disabling status bars in modern browsers). Perhaps some Luddites are confused by file extensions, but those hidden extensions come up time and again as an open door for malware to use as an easy entry point.

      Those of us that know and care change the defaults, but the vast majority of users don’t even know that they should.  Thanks to Microsoft, far too many of those users become infected.  If their system just gets encrypted, then it’s just their problem.  But if their system becomes part of a botnet, many others can suffer as a result.  🙁

       

      • #2395106

        Linux doesn’t even add the extension to .txt files. And what about hiding System Files and Directories? Or not showing file attributes by default? So Windows is not alone in hiding extensions and other elements which can identify files and directories. Sometimes end users have to do some work to make an OS interface safer. And no, newbies won’t know or even care about these “details”.

        -- rc primak

    • #2395069

      I use the duckduckgo search engine.  I submitted the Google queries you used in your article to duckduckgo.  The results list for the manual were different from yours, but still contained some very sketchy links within the top six.  I did not try following them.

      Surprisingly, the party wall search yielded what appears to be the exact same result in the top position (except that the text excerpt is different).  Clicking on it yields the exact same website (a bogus forum) as shown in your case.

      You say that Google is the only search engine that’s being targeted.  Does this not seem to indicate that that is not the case, and that other search engines also need to clean up their act?

      Bret Sutton

      1 user thanked author for this post.
      • #2395107

        Under the hood, DuckDuckGo is using the Google search engine. They just strip away most of the Google tracking and targeted advertising features.

        -- rc primak

        6 users thanked author for this post.
        • #2395700

          You are totally correct.

          The keyword here is “…they strip away most of…”.

          1 user thanked author for this post.
          mpw
    • #2395097

      thanks Brian – great article.

    • #2395108

      “It would be better to notify the operators that their hacked sites will be removed from search results starting today, until the affected servers are clean.”

      I remember a few years back, AskWoody got blacklisted by either Google or one of those AV company advisory services, when the site got infected with a single-pixel piece of malware. It took months of bickering and untold money to find and clean up the malware, and to get Google to reinstate AskWoody in their search results.

      This is not an ideal approach. Sorry, try again.

      As for “don’t use Google”, that’s really like saying “use Linux”. If enough people shift to another provider, that provider becomes the new target of choice. And a vicious cycle results. “Security through obscurity” only works until the alternatives become popular.

      (In the Linux example, there may be some (temporary) real security benefit, if new Linux users know and implement “hardening” techniques which are not turned on by default in Linux. But that’s beyond the scope of this thread.)

      -- rc primak

      2 users thanked author for this post.
    • #2395110

      Two days ago I searched in Edge for ‘offline malware scanner’ on a newly-provisioned Windows 10 install.

      Like anonymous above – I noticed several of the top few search results returned were all very suspect ads.

      I don’t think the problem is confined to Google at all.

      6 users thanked author for this post.
      • #2395120

        Ever tried searching Google for Malwarebytes? The top return used to be a malware fake AV. (I believe that’s been fixed for some time, but it’s not the only such ironic example.)

        -- rc primak

        • #2395124

          Ever tried searching Google for Malwarebytes? The top return used to be a malware fake AV. (I believe that’s been fixed for some time, but it’s not the only such ironic example.)

          Two days ago… the top 3 results in Bing after search for malwarebytes free

          bing_search_for_mbam

          Click on image to enlarge

    • #2395132

      Any examples? Are you sure you’re not using Google from Edge? I just did that search (offline malware scanner) in Bing from Edge and didn’t get any suspicious ads.

      bing_results_for_offline_malware_scanner

      • #2395196

        I tried hard but wasn’t able to reproduce your results for both searches using Bing in Edge, even after disabling ad and tracking blockers (and also trying from an InPrivate window, and from my Android phone).

        But what is suspicious about those ad results anyway? As an example, the third result in the first search, which is the same as the second result in the second search:

        https://www.antivirussoftwareguide.com/anti-malware

        Anything suspicious about that site? Anything there that’s dangerous like the javascript download from the top Google results in the article?

        Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

        • #2395368

          Anything suspicious about that site? Anything there that’s dangerous like the javascript download from the top Google results in the article?

          From its Advertising Disclosure page:

          In order to keep this website free to consumers, we receive advertising revenue from some of the antivirus companies featured which can impact how and where products appear the this site (including, for example, the order in which they appear, additional banner advertising and site behaviour such as direct downloads).

          So, it admits that its results are biased based on the the payments it receives. Would I recommend a site with such clear conflicts of interest? No, I would not.

          Is it suspicious? Yes… because it purports to do one thing (i.e. report on the best) yet openly admits skewing the results. I am suspicious of its motives. 🙂

           

          • #2395414

            Is it suspicious? Yes…

            Is it dangerous? No…

            Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

            • #2395423

              You asked for examples… I provided examples.

              You asked whether it’s suspicious… I provided my reasoning.

              You ask whether it’s dangerous… but I’m not going to indulge you any more.

            • #2395440

              I asked whether there was anything dangerous there, and although you quoted the question you didn’t answer it:

              Anything there that’s dangerous like the javascript download from the top Google results in the article?

              Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

    • #2395168

      How to protect yourself against viruses in Google search results

      Don’t use Google.

      I haven’t used Google for a few years, now, since I first read about their paid rankings in search results.  My Firefox browser homepage is DuckDuckGo, and one of the links in my bookmarks toolbar is Startpage.

       

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    • #2395182

      I first read about their paid rankings in search results…one of the links in my bookmarks toolbar is Startpage

      In October 2019, Privacy One Group, owned by adtech company System1, acquired a majority stake in Startpage but, according to the company, its “founders may unilaterally reject any potential technical change that could negatively affect user privacy”.[”

      • #2395208

        “In October 2019, Privacy One Group, owned by adtech company System1, acquired a majority stake in Startpage but, according to the company, its “founders may unilaterally reject any potential technical change that could negatively affect user privacy”

        Yes, I read that too.

        My Firefox browser homepage is DuckDuckGo, and one of the links in my bookmarks toolbar is Startpage.

        What I did not say is that I only use Startpage from a private window in Firefox.  It’s easy to get to from the bookmarks toolbar.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    • #2395186

      Hello, I think the article is interesting and gives good points. I would like to point out the with Firefox, at least with the 78 ESR, one can go to: HELP, “Report a Deceptive site” and send it off to Google.

      If you are redirected to another site, quickly, go to: Help, Report a Deceptive site, and it will switch the site over to Google with the web address it captured. You can then give comments and send it on its way to them for review.

      2 users thanked author for this post.
    • #2395215

      What can I do to prevent this from happening on a Chromebook?

    • #2395261

      I just assume that the ads at the top of the search results are sketchy.  I don’t click on them.  I will scroll down past the ads to find what appears to be a real url for a real company that at least seems to be related to my search.  I still hover over the address to check that it matches what I think it should be.  May not be foolproof but it seems to work.

       

      As far as the ads are concerned, I don’t feel like contributing to an advertising campaign, that might not be what it appears to be.

      2 users thanked author for this post.
      • #2395482

        I realize that increasingly I am instinctively skipping those “ad” results, too–though based on Brian’s good article I will have to pay attention more consistently.

        I increasingly inspect URL’s before opening.

        And my internet computer is armed to the teeth.

        What’s troubling is that I don’t see what other meaningful steps I can take to protect myself from this sudden-death malware infection scenario, day in and day out.  I use Google a lot.  As has been said above, another search engine will be targeted as soon as it becomes popular.

         

      • #2395956

        Common Sense is still usable, IF available to you!

        It would be C.S. that the main URL to a company called Malwarebytes, whose main product is called Malwarebytes, is probably NOT going to be something like:

        irapeyourdogstealyourstuffandhumpuranus.biz

        Unless that is a new Facezuck mirror?

    • #2395282

      Is this much more likely to happen when one is looking for some kind of commonly sought after information, rather than for information on more specialized topics?

      For example, is the risk of infection with malware quite different when looking for information on “current US bank mortgage rates”, versus “use of reflectometry from LEO satellites to quantify sea state”? Or does the malware echoes the key words in the title of the bogus Web page, so the topic being searched does not matter all that much?

       

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

      1 user thanked author for this post.
      • #2395286

        As far as I have knowledge of, it hasn’t happened to me. I was looking for advise. I have the information from the replies given to safely navigate Google searches.

         

        Thanks.

      • #2395486

        Funny thing, that same question occurred to me just now but I couldn’t frame it well, so didn’t.

        I have a hunch that my specialized searches might not be targeted so much.  Certainly, a dead-on-result from an unfamiliar web site would stand out.

         

        1 user thanked author for this post.
    • #2395295

      What Brian’s article describes is malicious SEO (Search Engine Optimization), and he happens to illustrate how that affects the results on Google, because Google is the biggest target for the bad actors.

      As has been illustrated above by others, this also has happened to Bing. I would venture a guess that it has also happened to Yahoo and StartPage as well, since they are search engines themselves in their own right.

      As has also been pointed out above by @rc-primak , DuckDuck Go is the same as Google, but stripped of Google’s unwelcome invasion of privacy, so it can be affected by malicious SEO as well.

      Basically, be careful sifting through results for searches, and pay attention to the actual URLs of the links provided by hovering your mouse over them to make sure they go where the text in the result says they go. One way to help this concept out is to have your browser display what’s called “punycode” that can make text look like one word but actually be another. @Microfix can fill in the details of exactly what punycode is more than this basic explanation.

       

      • #2395446

        As has been illustrated above by others, this also has happened to Bing.

        No one in this thread found a malicious JavaScript file via Bing.

        Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

        • #2395447

          @Bob99 was not talking about a malicious JavaScript file via Bing but rather about malicious SEO (Search Engine Optimization) skewing search results across different search engine platforms. 🙂

          • #2395451

            No one in this thread discovered any malicious SEO via Bing either.

            The article was specifically NOT about paid advertisements appearing in search results:

            There’s a good chance that the user will click the Google link that shows up, because the search hit looks like a natural result, given that it’s not a paid ad or a sponsored link.

            Search crimes – how the Gootkit gang poisons Google searches

            Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

    • #2395328

      Macs always display the file extension, wherever and whenever a file is listed inside a folder, or appears on the desktop, or is listed using the command line: in all cases and circumstances. Also I don’t remember the file extensions being hidden in Windows 7. So I am surprised to hear about this.

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

      • #2395401

        Macs always display the file extension, wherever and whenever a file is listed inside a folder, or appears on the desktop, or is listed using the command line: in all cases and circumstances.

        Showing the file extension is also an option in MacOS, not the default.
        Your Mac shows file extensions becaue the box was checked at some point by whoever changed it.

        Screen-Shot-2021-10-12-at-7.24.58-AM

        • #2395965

          PK, My Mac came like this from Apple, i.e. set to show the file extensions, the day I bought it, so I did not realize that the fiddle you point out even existed.

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

      • #2395459

        Also I don’t remember the file extensions being hidden in Windows 7. So I am surprised to hear about this.

        Woody campaigned against file extensions being hidden by default in Windows 7 for years:


        Yet another reason for showing filename extensions

        Posted on April 19th, 2016 at 13:05 by woody

        I take flak, from time to time, from well-intentioned folks who say my insistence on having Windows show filename extensions is archaic.

        Take a look at this report from Microsoft that describes several Trojans and how they’re dropped in spam emails.

        If the person who created the screenshots had filename extensions turned off, the telltale “.js” wouldn’t appear in the listings of zipped files.

        From page 3 of “Windows 7 All-In-One For Dummies” –

        Click Start and pick Documents. Press the Alt key on your keyboard. Choose Tools > Folder options, then click to select the View tab. At the bottom of the Advanced Settings box, deselect the option marked “Hide Extensions for Known File Types.” Click OK.

        Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

        2 users thanked author for this post.
    • #2395448

      Some people commented that Duckduckgo’s search results are from Google. In the past and from what I found online with a quick search, it doesn’t come from Google at all.

      Maybe that is why I got frustrated with them quickly after trying it for a few days a while ago.

      Excerpt from Wikipedia :

      “DuckDuckGo’s results are a compilation of “over 400″ sources, including Yahoo! Search BOSS, Wolfram Alpha, Bing, Yandex, its own web crawler (the DuckDuckBot) and others. It also uses data from crowdsourced sites, including Wikipedia, to populate knowledge panel boxes to the right of the results.”

      Unfortunately, I don’t find that anything else comes close to Google.

      That was a great article from Brian, again.

      This might be a threat that could become even worse than email because normal users have a harder time identifying those search results they looked for as illegitimate than an unexpected email.

      Using SRP like someone mentioned or hardened mode in Avast or an equivalent seems like a good idea to mitigate the risk in part. Again, Microsoft, why do you keep Applocker unavailable to Home and Pro version? Security shouldn’t be an option for big businesses only in your OS, especially when it involves no costly ongoing maintenance like it is probably the case for Applocker. If you can give Defender to everyone, sure you could include Applocker.

      4 users thanked author for this post.
      • #2396627

        You should not be relying on your antivirus program to protect you from malicious web sites. If they are not clearly marked as ads, there should be some way to distinguish between legitimate sites and malicious or simply useless sites.

        As of now, there is no sure-fire way to tell the difference between a bad site and a good one, except after you’ve been there. And don’t get me started on reputation services — it took a long, hard struggle to get such services to reinstate AskWoody after a single-pixel injection malware attack here a few years back.

        -- rc primak

        • #2396629

          rc primak: “As of now, there is no sure-fire way to tell the difference between a [Web site that is a] bad site and a  good one, except after you’ve been there

          Quite true, unfortunately. The way of the world, Internet-wise, is going to turn us all into suspicious, sniffing bloodhounds seeking the scent of our possibly awaiting doom. (Phrasing purple enough for you?)

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          Waterfox "Current" and (now and then) Chrome. also Intego AV and Malwarebytes for the Mac.

    Viewing 14 reply threads
    Reply To: The first Google search result often leads to a virus

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.