I don’t take negative SEO lightly–it’s something that is certainly something that can be difficult to deal with and identify if your website is the victim of a negative SEO attack. In the past week, I’ve had several different people I know tell me about the same issue they’re having. They all have had the same thing happen to them: someone supposedly reported their website as having malware. But, their websites do not have malware. Google apparently has flagged the websites with a malware-like notice in the search results, and notified the website owners of the malware in Google Search Console.
Here are the details of several cases involving allegedly false malware reports that have been reported to me:
- In one case, the website owner was notified via Google Search Console that their websites had malware–multiple websites. But, it did not exist on any of the websites. The webmaster filed a reconsideration request and the malware warnings and notices were removed.
- In another case, someone in the SEO Community shared that some of their client websites also were hit with malware notices in Google Search Console. There were no URLs listed as examples, which made this person believe they were false alarms. They submitted reconsideration requests, and those were approved within 6 hours. This is the second time this has happened within the past few months.
- In another case, it involved one website, which happened to be a static html website. This person told me that “Google gives no help in what to look for… They claim to have “detected” but the site in question is static html so the claim is BS”. They went on to tell me that the negative SEO attacker submitted a malware report “about a site and of course it doesn’t exist”… and “this counts as Google detected malware”. They went on to tell me that “Google’s response it that I should either take it to the webmaster forums of hire a professional security company and the wont tell me what they “detected” because we both know they didnt detect anything.”
I know this person’s amount of technical expertise (being a very skilled web developer), and do trust what they are saying even though I have not looked at the website in question.
That’s three separate cases, all unrelated to each other (they don’t know each other at all), and they’ve all been claiming the same related experience: false malware reports about websites very recently.
Reporting Malware
Google has a form where you can submit a malware report about a web page. You do not have to be logged in, and you don’t have to give your email address before you submit the form. All you have to do is enter the URL, click “I’m not a robot”, and optionally include any other information.
I don’t know if the results of this form then start a manual or automated process at Google to check a web page for malware. However, in the case of the static html web page, I did talk to the person reporting this to me and the page should have never been flagged.
I find it very interesting that several people, all unrelated to each other, have reported that the malware reporting form from Google is apparently responsible for malware being reported on their websites when there is no malware on the websites. Two people reported it directly to me, another posted about it in a private forum that I participate in regularly.
If the malware reporting form starts an automated process at Google, then the reports need to be manually reviewed. In either case, even if it’s manually reviewed, some claim that the process is still exploitable.
After all these years, there still is nothing in Google’s Webmaster Guidelines about negative SEO.
Malware and Redirects
After posting this, Ryan reminded me that there’s also the potential for a redirected domain to be given malware, as well. If a URL on your site redirects to another site that contains malware, it’s quite possible that your site will receive the malware warning, as well (both sites get the malware warning). You can follow the thread here.
