Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Google returning 'Untitled' results that redirect to malware/spam
170 points by nsilvestri on Jan 28, 2022 | hide | past | favorite | 99 comments
Over the last few days I've noticed several distinct Google results that are simply 'Untitled', that redirect to other sites that are definitely spam and possibly malware (I didn't stay long enough to investigate). I've seen other examples of titles such as 'Oh' redirecting to the same spam sites. From the result preview below the title, the results otherwise seem somewhat relevant to the query, but most often end up loading a fake captcha page.

Google deleted a support thread posted 3 days ago about this issue [0]. There are a few comments on a HN thread from yesterday [1] which mention this issue as well. A reddit thread is active on /r/google about this issue [2].

Something seems to have gone wrong at Google to allow so many fake results to pollute so many different search queries. There have been many discussions on HN lately about how the quality of Google's search results have gone down, but until now I've never seen them become a massive influx of possibly malicious spam.

[0] https://support.google.com/chrome/thread/147896848/i-have-untitled-google-search-results-on-almost-everytging-and-it-redirects-me-to-malware-website?hl=en-GB

[1] https://news.ycombinator.com/item?id=30086059

[2] https://www.reddit.com/r/google/comments/seio29/is_anyone_else_getting_these_untitled_google/




For quite some time now (many months, maybe a year or two) I've noticed that when searching for something rather obscure, when there aren't many relevant results, google search nonetheless returns pages full of sort-of relevant looking results which all redirect to some form of spam or malware site. The malicious results are always ranked below any legit results but they are almost always there at the end of page one. For sufficiently obscure search then the crap can fill even the majority of the first page.

The commonality is that they seem to keyword stuff obscure keywords and even phrases (possibly by randomly brute forcing or re-combining text fragments into synthesized sentences.) and they all redirect one or more times, prevent the back button from working and land on some kind of suspicious page that is almost certainly hosting some kind of malware. The only way out is to close the tab and start over. I'd imagine things would be much worse without ublock installed.


I've been noticing something similar happening with GitHub issue threads. Spam sites like githubmemory.com are frequently ranking higher than GitHub itself, and sometimes GitHub doesn't even show up at all, even with a specific search term that appears in an issue thread for a popular repo.

The cynic in me can see good reasons for both Google and Microsoft to be okay with this.


I have been DuckDuckGo 100% completely the last month and from these messages I am super happy I did. Google is tanking fast. Even a general public of r/askreddit noticed, with a huge thread and similar experiences. If I was Google, I would be very worried, and if I was DDG I would be pulling out all stops with advertising.


DuckDuckGo has lots of ads actually, even on the radio (!) which is pretty interesting.


I wasn't even aware how many sites mirror GitHub until Google stopped finding GitHub for me at all.

If I don't add 'GitHub' it likely won't show up, and if I do there is no guarantee either.


I’ve not noticed malware so much, but several legit independent programming resources (baledung, as a random example of a possible target; not sure I’ve seen their content stolen) will have their content lifted wholesale, slightly cropped to remove identifying marks, and then rehosted, stuffed to the gills with ads.

These initially seem fine, and it’s only when you repeatedly search the same topic that you notice the stolen content. You can tell the legit site by having bylines, references, and fewer ads.

Google seems to weight them the same, which is near malicious: it has the history to show primacy.


Could it be that more ads on the pirate sites mean more Google revenue?


At least once a week I stupidly click on a malware site from search results. Luckily it's always on a work laptop that has AV that prevents the page from loading.

This never happened in my life until the past two months. Some many things are very wrong right now.


uBlock Origin will block most of the redirect/traffic selling pages and put up a big warning screen.


> The only way out is to close the tab and start over.

You can press and hold the back button to reveal a list of previous urls. Useful to evade forced redirect like this because you can "jump" directly to the last google search url.


These sites somehow defeat the history list entirely. The history for the tab just disappears.


This happens to me when I research some RFC concepts surrounding oauth, saml, and the like. It’s incredibly frustrating.


I used to notice this so much I had initially thought my browser got hacked.


I've seen that behaviour for years. Even with quotes which used to show exact verbatim matches only, you'll still get pages of garbage results.


Seems a similar attack may occur with scam calls. User looks up number. Search leads to malicious page. It has now linked phone and pc details.


Holy crap that's devious. Never occurred to me. Do you have any reference to this or is it just a hypothesis? Seems scarily plausible to me.


I've been going insane since I couldn't find anybody talking about this (just tons and tons of SEO blogs) but yes.


I've noticed this issue for years. And that is the reason why I never go past page 2.


Are you able to provide an example query?


Unfortunately no, I haven't kept notes when it happened.


In the last few months, many Gmail users (including myself) have been receiving some seedy emails in their inbox that were previously being sent to the spam folder. [1]

[1] https://news.ycombinator.com/item?id=28635313

Regardless of these issues being related or not, Google definitely don't care as much about the quality of their products as they did 10 years ago.


+1, and legitimate emails going to the spam folder. Now I check my spam folder multiple times a day. Since 2004 Gmail never sucked this bad, and they don't care.


Well, the regression might end up being good timing for users, since Google has also recently announced plans to take away the legacy Gmail custom domain names. This adds up to opening the door for competitors.

Good riddance, big-G can't seem to stop fucking themselves over with regard to user trust at this point. It must truly be a royal mess on the inside, because the growing cracks are very publicly visible.

Edit: It looks like today they announced the reversal of their stupid plan to take away the legacy g-suites? https://techcrunch.com/2022/01/28/google-will-let-legacy-g-s...

Shrug, all the back-and-forth still signals a huge cluster bomb on the inside. Everyone just wants promo.

See also: https://news.ycombinator.com/item?id=30114343

It's sad to see what the benevolent mission of "help the world organize it's data" has devolved into. Instead of growing into something pretty, it's becoming more and more petty- nickel and diming us to the max, even when they're already making boatloads of money.

There is no end to The Greed.


Blessing in disguise.


The whole reason GMail gained public traction was because of its advanced spam filtering. Storage was good, but secondary.

Now that everyone is locked in, the anti-spam efforts can be pared back, since nobody gets promoted in Google for doing their job well. Only for inventing a new job to do.


>the anti-spam efforts can be pared back

But how hard can it be to continue flagging obvious spam? I agree that flagging real email as spam can be harder to avoid, but the number of patently clear spam going to the inbox is beyond ridiculous.


This is the same Google that allows Holocaust denial and lies about vaccines killing millions of people on their platform while blocking videos that point out the about things are wrong.


I even got emails from Apple (iTunes store receipts) and similar high profile senders going to spam, while some super obvious spam emails get through.


Same thing here, it's that bad.


Oh good, it's not just me. Started getting ~3 PayPal phishing attempts a week, all formatted the same, for the past month or so.


The amount of spam has increased significantly over the last few weeks.


For a second I thought we were talking about search results.


In gmail I get numerous easy to spot spam a day, McAfee warnings, CVS gift cards, Kohls cache, Costco $500 rewards, Geico insurance etc. Way worse than my personal mail server with a straight forward greylist/SpamAssassin setup.

What's worse is recently I searched for home depot, clicked on the top result (an ad), that clearly listed the destination URL as homedepot.com. Ended up with a malware site with multiple pop ups claiming I had a virus and had to install some plugin to fix things.

Feels quite a bit like yahoo used to: sketchy ads, malware, spam, payroll loans, etc.


But then perfectly valid messages from someone's self-hosted mailserver never even make it past their pre-screener.

If DKIM, SPF, or DMARC record validity, or even past conversations don't matter for deliverability, what does? I'm beginning to think even Google doesn't really have these types of answers anymore.


  if (msg.source != "gmail"):
    msg.drop()


Gave you the opportunity to make that joke for free, the least you could have done was write it in GoogleLang ;)


  var message = GmailApp.getMessageById(newMessageId);
  if(!message.getFrom().match(/@gmail.com>?$/)) {
    message.moveToTrash();
  }


Yeah, I got that with USPS change address search a few years back.

Look, I think of myself as a decently smart guy, not a sucker, etc. But at 2am when exhausted from moving and just wanting to check something off a list...I got got.

It was my mistake. I trusted Google. Google's top result took me to one of the thousands of identical copies of the official USPS change address forms that charge $49. Could have been worse, I guess.


Even worse is when Google's own search results include ads that direct to malware sites (like https://imgur.com/a/Lk85lST ). Google, when will you start following the best practices in the advertising industry like Ad Standards Council?


In Argentina (Latin America, even probably) if you searched for Paramount+ (right when the streaming service launched here) the top result was a Google ad with a spoof domain (that could have been legit) pointing to a credit card stealing phishing site.


> that clearly listed the destination URL as homedepot.com

Does anyone have an explanation for this? I've heard such claims before, but I'd like to see it to believe it. I could perhaps imagine yet another unicode "feature" (non-printing characters or some very subtle combining characters or a font variant?) being abused for this. On the other hand, part of me wants to believe that despite all their failings, there's no way Google wouldn't have thought of that and prevented it. Right?

EDIT: Somewhat recently I tried to find out if this is true after someone claimed they had had a legit URL lead them to a phishing site, but the only juice I found is the same old: typo-squatting. Just now showing up in big G's results. Apparently e.g. homedopet.com leads to a site that uBlock doesn't want me to visit (badware risks). On the other hand homedepet.com and homodepot.com took me to the right site.


I'm pretty security conscious, and I immediately double checked and replicated what I had done. The ad looked perfect, including the right URL, and includes the normal subsections, store finder, special of the day, careers, etc.

The home depot search result labeled as an "ad", but shown inline, with an easy to miss small gray font mentioning the URL. Much like if you search for ace hardware now, I did notice that home depot searches no longer shows an ad.

I normally have zero plugins enabled, but I did discover I had a keybase plugin installed, from before zoom bought them. I've since disabled it and am considering a reinstall.

The URL it sent me to was: http://34.220.130.1/window-security-alert/werrx01/, which at the time worked (visit at your own risk). But I tried it just now and it now triggered a chrome warning about "Deceptive site ahead".


IIRC you can set the domain you want to show on your ad and it doesn't have to be what you actually link to. They allow that so marketers can do click tracking stuff I guess.


Sad if true. Outright irresponsible, I would say. Knowing which domain you're talking to is such a basic security requirement; TLS and the whole CA model is worth nothing if you're being lied about what domain you're navigating to. This is also why typosquatting is such a dangerous attack..


Everything old is new again! Is this what they meant the other day with "Signs the old web is coming back"?

https://news.ycombinator.com/item?id=30078971


Last year (20/21), Bing was directing people to website which had been hacked and from what I could trace on the offending site, via the bing cache, it was linked to Eastern European located websites. So I dont think its just Google, but Bing have been affected in the past as well.

I also dont understand why MS need a system in MS Edge (SmartScreen) which blocks you from accessing a website, yet the link to the website appear in the bing results, you would have thought Bing and SmartScreen would use the same data!?!

The only other thing I would check is that your system hasnt been hacked are you are seeing a Man In The Middle attack ie a fake google website and search results directing you to malicious websites via the search results.

Lets face it, how do you tell you are on the correct website and not some MITM website? Security certs dont tell you anything if the certificate company has had their root certs stolen or duplicated under a court order.


So in SmartScreen they leave out a feature that is a low hanging fruit for protecting users - it's almost as if the real purpose of SmartScreen is to observe and control which Windows applications users run?

It does seem consistent with the big tech pattern of stalking, and coercion through dark patterns.

Edit - it's possible that they don't store which domain names files are downloaded from and only store binary file hashes, which would be another explanation for Bing not knowing the site is bad.


I mentioned this in a sibling comment, but what also drives me mad is that for about the last year or so, even if I search for something very specific and technical, I get pages upon pages of search results for sites with names that all sound similar to "techgeekhowto", that only contain the most basic (and often badly written) advice on how to reboot your Mac and similar things. Even "Verbatim" mode doesn't help much.


same with sites that sound similar to "stackoverflow" but aren't stack overflow. These sites are usually just scraped stackoverflow questions and answers with a ton of garbage heaped on top.


Why are people still using Google for search? I frequently hear complaints that Google's search results have become worse and worse over the past several years. DuckDuckGo isn't perfect, but I generally get good results from it, and they claim to respect your privacy.

I've also recently been trying out Kagi (invite-only beta, will eventually be a paid search engine), and I've so far been extremely happy with their search results. I'm a bit uncomfortable with it; since it requires a login, they can easily tie search history to you even if you use private browsing or a VPN. (They claim they don't do this, but I'd rather not have to trust.)


I switched to duckduckgo as my default search engine as a matter of principle, but the results are regularly irrelevant, sparse or not recent. If changing search engines was lower friction, i’d be back on Google in less than a day.


Odd, I switched to DDG 2 or 3 years ago, and probably have had to fall back to Google a single-digit percentage of the time when DDG's results weren't up to snuff. But everyone's searches are different, I suppose.


I’ve been really impressed with Kagi. For desktop search I find it easily the equal of Google if not better - it filters out the dreck much better than Google does. I’d tried Bing and DDG before but Kagi is the first one that hasn’t had me crawling back to Google within days.

For mobile search, unfortunately, it’s not there yet - Google has such a commanding lead in POIs, opening hours and the like.


feels like goog has been relatively intentional through the last decade about what types of pages show up in what categories of search, and this has siloed SEO expertise. Now, for any 'type of search', SEO or ad spammers know more about the problem than google

sites like newspapers, SO, wikipedia, and even twitter, which have active moderation of all content, can stay ahead of this in a way that platforms can't

we all assume that 'only ads above the fold' is intentional by goog to bolster failing margins, but what if it's a problem they can't fix because their tools have outgrown their quality control?

in 2012 google thought the indexing algorithm was its immune system, but today it's the site of infection. (maybe it always was)


or if you're an ecologist

https://www.nature.com/scitable/knowledge/library/dynamics-o...

> Parasites with complex life cycles require two hosts; in some of these systems, prey function as intermediate hosts for the parasite, with predators acting as primary hosts. Parasites can manipulate the behavior of the intermediate host to make transmission to the primary host more likely.

not sure who is who in this metaphor


Thanks. I work for Google Search. It's spam, not malware and we are looking into this.


Is it not spam generated by sites infected with malware? I'm sure the owners of a WordPress site for a some random company are not doing this on purpose. I've personally cleaned the malware from WordPress sites infected with javascript injections that produced pages similar to this.


Based on the reddit thread, this does appear to be a legitimate issue. Conspiracy theories aside, it seems to be a search quality issue. I do wonder why that support thread was deleted though. It's unfortunate that Matt Cutts (former head of web spam team at Google) or someone else from the search quality team isn't communicating as early and often re issues like this anymore. Some transparency would be nice.


I'm Google's public liaison for Search, and I communicate on this stuff all the time. Typically I'm most active on Twitter. You can always ping me here: https://twitter.com/searchliaison

I'm looking into the thread deletion, but I believe anyone who starts their own thread can delete it. That aside, as I shared elsewhere here, this is spam, not malware. We appreciate the reports and apologize our spam systems weren't doing a better job. We're working to improve that now.


Matt left google many moons ago and, with the benefit of hindsight, his departure coincidied with google's pivot to the dark side and progressive lack of concern for such search quality issues.


I had the same thought. Matt Cutts seemed very on top of things from the outside at least, and I was wondering when he left how that would affect search quality. Though without any further insight I have of course no idea whether the recent steep decline is really related.

It's gotten very frustrating in the last year or so. I barely leave "Verbatim" mode (and hate that it's so many clicks each time to activate it). But with or without that, I frequently have the situation where I search for something very specific and technical, just to get pages of pages of search results for sites that have names similar to "techgeekhowto", telling me how to reboot my Mac. It's maddening.


Verbatim mode? Never heard about that. In the past using double quotes did something like that, is it the same thing?

Disclaimer: DDG user mostly.


"Tools -> All Results -> Verbatim" in Google. I'm not sure of the exact differences, but Verbatim essentially means "match exactly those words, and all of those words", while I still seemed to perceive some fuzziness with double quotes (unless you put the whole phrase into quotes, I think, but then you also search for only that exact phrase instead of words).


I come across these links as well and was able to find some of the source code, which generates these spam pages.

Actually, you can go ahead to such a spam page and view the index.html page of the current folder and what you will get is an HTML file with PHP code, which is not interpreted by the PHP interpreter, because the file has a dot HTML extension.

In the script, you can see from where the script fetches the displayed data and from which IPs the data is requested and received.

I copied such an index.html file into a gist: https://gist.github.com/devidw/ce2bdb78bb2e30a8e8437acc2c587...

I also wrote a blog post about the details of what is happening in the PHP script: https://david.wolf.gdn/google-untitled-links-i-found-the-sou...


My wife recently received, in her inbox, a spoofed email from her own email address on Gmail.

I have no idea how you could possibly fubar that up. No idea what is going on with Google's spam handling.


The displayed sender address in Gmail or any other email system has no meaning whatsoever.


Surely if Google owns the endpoint it should be coming from it can mark it as spam if it comes from somewhere else.


What it seems like you are suggesting - which I don't fully understand and I doubt you understand it either - would break dozens of important features of email that ~everybody wants. For example, when I go to the Ubuntu issue tracker and type in a comment and send it to everyone, it shows up in my inbox, from me, even though it was sent by an unrelated third party (Canonical Launchpad).


Yep. Noticed that recently in some searches and it was definitely a "wtf" moment. The links seem to be to compromised wordpress sites but that's just a guess. Did not stay long to figure it out.


I’ve been noticing this quite a lot lately, on various searches.


Can you give example searches? OP provides none so we can't reproduce.


> renameto fails mount point android

8 of 10 look actively malicious. 6 of 10 are "Untitled"

Image: https://drive.google.com/file/d/11O1_awYptJ9mKzn-w9T45fpNPj4...

----

This is unusual and has been happening regularly for me over the past week

----

EDIT: This isn't malware. Reproducible on my phone.

This is based on my Google account, my dev-based account returns the majority of results as malicious. My personal account returns relevant results.


I see those on page 4 and 5 of the search results. Thanks to Google for hiding the full url which would make them easier to identify as untrustworty.

Hit the drop down error to the right of the shortened url to see the cached page.


First result is the same for me, but the rest of it is very different. Strange!

https://i.imgur.com/t7JPARg.png

Looking at some of the results from your screenshot more closely, they appear to be hacked Plesk[0] sites like geocrasher describes here: https://news.ycombinator.com/item?id=30117918

[0] https://www.plesk.com/


They recently extended their magic "title rewriting" algorithm, someone is probably gaming that algorithm already...


Danny Sullivan (@dannysullivan) replies quickly on Twitter, and he works for Google anti-spam. Their Twitter ID: @searchliaison


Yep, thanks -- got directed to this thread. Our spam team was already on it. It is spam, not malware. No one is infected with anything. I think things are already improving and they'll keep debugging it.


Are you looking into the some clone site coming before GitHub or Stackoverflow problem too?


I'm affected and Danny's been in contact. Thanks!


I thought I was searching weird things. But yes, I've seen this. Often starting from page 1 and every page after that. It seems to be 'normal' CPA links as far as I can tell.

Edit:// they are localized! I just checked on my phone which uses German Google and it says 'Ohne Titel' (so without title)


Does anyone have an example of a search title that results in this? I've never noticed it but would like to investigate. E.g. does the site return different results for GoogleBot vs end user (or based on Referrer)?

It could also be local malware - cross checking between users would be a good test for this.


https://news.ycombinator.com/item?id=30119138

This isn't malware. Reproducible on my phone.

This is based on my Google account, the majority of results for my dev account are malicious.


There's a natural tension between fresh indexing and malware detection.

And speaking of tension, HN is clearly of two minds here. We have this article and we have "Google de-indexed my site [[that I didn't realize was hosting malware]] for no reason!" outrage parties.


Tinfoil hat mode: what if Google is intentionally degrading service to allow a little more competition and ultimately avoid regulation?


Unfortunately you've only given anecdotal evidence with no means to reproduce. This isn't actionable in its current state.


Here's support.google.com link in Google cache, it contains a query screenshot and some suspicious urls in results:

https://webcache.googleusercontent.com/search?q=cache:cNRRR8... (archived: https://archive.is/V6963)

The query is "blaze sql sql", but I don't see results like those now.


See my answer below


Sure. Results I've seen issues with:

`update-rc.d command not found`

`baselayerchange leaflet react`

`gnome-disks permisions denied`

`chart.js more points than labels` <-- this one has two untitled results, but only one of them redirects to a spam site


Okay! I think I have an answer for you. I found this:

http://webcache.googleusercontent.com/search?q=cache:WdHknYu...

This is an HTML page on a WordPress site. A hacked WordPress site. It's SEO spam and is rather successful. It's not a proper page and so has no title, but has all the keywords for a search and a bunch of links at the bottom that it's trying to rank higher for whatever search.

This isn't Google's fault necessarily but rather there are compromised WordPress sites out there that look fine to the owner, but when the referrer is Google, or the user-agent is the google bot, the website produces different results than if a human is viewing it.


About a year and a half ago almost half the results I was getting consisted of those. Most of them were on `.it` TLDs, and I've been blocking all those results since.

There is an official Google publication on this phenomenon that was published a really long time ago, but I'm unable to find it anywhere. Would anyone reading this perhaps know where to find it?


This is interesting. Just the other day I did a search on DDG and had the same thing happen, a full page of .it TLDs that vaguely matched what I was searching for. This is the only time I have seen that and unfortunately I don't remember what search terms I used, probably something related to my recent video card issues.


I can't repro. Can you try in a fresh profile with no extensions installed?


Pulled up the results in incognito and can't repro either. The only extensions I'm using are Bitwarden, uBlock Origin, and React Dev Tools so I don't expect those to be the root cause, however.


I would check for whether there are any extensions that you might not be aware of by going to chrome://extensions. I'd also try installing those same extensions on a fresh profile to see if some configuration inside one of them is causing this.


That last one pulled one up for me, linking off to scorzsportscenter dot com

For what little it's worth, aside from some schadenfreude, it didn't pull up the spam link on DDG. ;)


Can you show a screenshot? As you should know, Google returns radically different results depending your user account, region, etc.


We don't show radically different results based on user account. Region, however, can make a difference, though everyone in the same location doing the same search would generally see the same things. More: https://twitter.com/searchliaison/status/1070027261376491520


Thanks for replying on HN! When I do want local search results from a different location abroad than where I am located at I have found no other way than using a VPN ending in that country. Is there a simpler solution?

Google is notoriusly bad add respecting my browser language. I more often than not get the login page in languages different than my browser language. (I only log in when I really want to use some personal service, which is not that often).


Ok, I'm genuinely asking here. -4 points, downvoted. WHY? I stated a fact. The response by OP was to give more data, and then I actually figured it out. So why the downvotes?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: