Google links highjacked - malware?

Question

Level 1

65 points

Google links highjacked - malware?

I'm sure this is a problem at the website end, but I just want to run it by some people here to be sure.

Over the last 3 months or so, I'm getting multiple redirects from Google search, to malware/scam sites. They almost always end up at the same, or similar pages, having re-directed a dozen or so times to stop you simply swiping back to the Google search page. I've just been ignoring them and returning to the Google search page by click-hold on the back button and selecting it from the drop-down, but today I took a look at the Google link and found that by loading it from the Cache, it actually took me to a genuine site.

So, have these genuine sites been compromised, or do I have a problem? Seems amazing that Google is letting this happen.

Here's the page that always displays from the malware/scam site... the falling confetti is an animation and if you do nothing, popups appear to try and get you to click something.

I've run MalwareBytes just to be sure and it finds nothing, as I would expect.

Can anyone offer some insight?

MacBook Pro Retina

Posted on Mar 11, 2021 4:55 AM

Reply

Answer 1

jimmut

Level 1

4 points

Apr 15, 2021 5:54 PM in response to gee-eff-ess

Oh it’s not just you. I can pretty much replicate this on any Google search on different PCs or isps. Ya they redirect like 5-10 times then either end on congratulations page or your iPhone has been hacked page. The easiest way to make this happen is when you do the search then click on tools and date search. Then select like 24 hours or a week. I can almost always make this happen on my phone. PCs at home. At work. Something is wrong with Google and I’m surprised it doesn’t get more press. Most of mine have been ending in .it domain. Here is an example of the search then selecting show last hour results. I don’t have to scroll down too far to see those .it redirect domains. Now if if I do a search without date range I usually don’t see them or they will be a few pages down What do you all think? I have been noticing this for about 6 months now

Reply

Answer 2

Mar 12, 2021 3:56 PM in response to gee-eff-ess

gee-eff-ess,

What you are describing is a redirect. In a situation like this, clearing Safari history and website data may help, but the website you are trying to view is causing the redirect.

Clear the history and cookies from Safari on your iPhone, iPad, or iPod touch - Apple Support

All the best.

Reply

Answer 3

Mar 13, 2021 5:05 AM in response to gee-eff-ess

gee-off-ess,

It could be a cookie. Does the same thing happen if you access the webpage while using Private Browsing? If not, then that could indicate it is a tracking cookie causing the redirect.

Turn Private Browsing on or off on your iPhone or iPod touch - Apple Support

Take Care.

Reply

Answer 4

Mar 12, 2021 2:08 PM in response to gee-eff-ess

Hello gee-eff-ess,

Thank you for using Apple Support Communities!

We understand from your post that you are receiving pop-ups in Safari on your Mac. This article has information under the heading, "If your web browser displays annoying pop-ups", which may help:

Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support

Best Regards.

Reply

Answer 5

gee-eff-ess Author

Level 1

65 points

Mar 13, 2021 5:44 AM in response to Alwayswantingtohelp1

Hmmm good point.

Yes the same thing happens with a Private Window... although interestingly, the Google Search results are not the same.

Try doing a search for "image upscaling software". Limit the search to Past Month via the Tools menu. Scroll down the results a bit. Try clicking one that has an ' .it ' domain. There are others. I have quite a few in these results which are infected.

Now go back to your Google Results and click to view the page's Cache instead. It will load the correct page.

Is it really that this malware is so widespread and the site owners don't realise?

Reply

Answer 6

gee-eff-ess Author

Level 1

65 points

Mar 12, 2021 2:54 PM in response to Alwayswantingtohelp1

Thank you for the reply Alwayswantingtohelp1.

No, that's not correct. I am not receiving pop-ups.

I am clicking on a link in Google search results and instead of going to the linked page, I am taken to the page/image posted above, in my original post. This is after several rapid redirects all to the same page.

So effectively, either the Google search results have been compromised, or the page they link to has been compromised, or my Mac. I'd like to know which.

Reply

Answer 7

gee-eff-ess Author

Level 1

65 points

Mar 13, 2021 12:31 AM in response to Alwayswantingtohelp1

Indeed and that is what I’ve always assumed when a redirect happens.

The reason I’m posting here and asking the question, is because this is happening from time to time, on multiple unrelated sites. It’s usually when I’m some way down in Google search results and often it will happen on a few of the search results... which is really weird. These are from sites that I've never visited before.

Since I've been looking, they are all from a .live domain, e.g. inch849lowthanks(.live) but each site will have it's own domain name.

Could a cookie be performing the redirect?

Reply

Answer 8

gee-eff-ess Author

Level 1

65 points

Apr 16, 2021 1:04 AM in response to jimmut

Hi Jimmut. Thanks for the reply.

Yup... exact same behaviour.

I don't do much 'refined searching' on iOS/iPadOS, so I'm only seeing it on MacOS. Of course, I still don't know what's actually happening... how are they replacing the linked page in the Google search results? Seems serious to me, but maybe not. "Alwayswantingtohelp1" didn't seem to think it worth trying the test search I suggested. 🙂🙃

I guesstimated that it started happening around Dec20, but I honestly can't remember precisely. It's been a while that's for sure and funnily enough, having not seen it for 2 or 3 weeks, I saw it again yesterday... although perhaps the reason I haven't seen it for a while, is because I don't click on links with an .it domain, or a link-name that is clearly garbage and as I say, if you choose the cached version of the page, you'll see the correct/unhacked page.

Reply

Google links highjacked - malware?

Similar questions