SEO Poisoning: Unofficial Malware Sites Ranking High for Software Searches

c9r

Kagi search results have been increasingly returning unofficial and malicious sources for well-known software downloads, including Mullvad VPN, KeePassXC, Amazon S3 Browser, EmEditor, PuTTY, etc. These results appear at or near the top, making them a genuine risk to users who may not scrutinize URLs carefully.

Some examples of malware-hosting domains (non-exhaustive):

mullvad-vpn[.]us[.]org
mullvad-download[.]org
mullvad-download[.]it[.]com
keepassxc[.]us[.]org
s3-browser[.]quest
s3-browser-download[.]blog
em-editor[.]co[.]com
emeditor-download[.]co[.]com
putty-setup[.]us[.]com

Though Kagi isn't alone here, Bing and DuckDuckGo are no different. However, testing the same queries on Google and Startpage (which proxy Google) showed these domains either absent or significantly deprioritized. Google appears to be doing a better job filtering them out.

That said, Kagi is a paid subscription service,and that comes with a higher expectation of safety and result quality. Surfacing typosquatting and malware distribution sites, especially for popular tools is a serious concern. At minimum, these domains should not appear in top results; ideally, they should be blocklisted entirely.

Pleonasm

c9r Kagi is a paid subscription service, and that comes with a higher expectation of safety and result quality. Surfacing typosquatting and malware distribution sites, especially for popular tools is a serious concern. At minimum, these domains should not appear in top results; ideally, they should be blocklisted entirely.

I raised this same concern with Kagi Support about six months ago and, unfortunately, their position at the time was essentially "it's not our problem." Kagi appeared to be comfortable in relying exclusively on their search sources to suppress malware results.

I strongly encourage Kagi to reconsider, and prioritize this product enhancement. A "premium" search product, in my opinion, should obviously encompass a proactive and superior service to actively suppress malware links in the search results.

nobodywasishere

c9r None of these domains are in upstream scam lists like URLhaus or big oisd, I would recommend reporting them there, and we will look into adding them to our own internal scam list

MustafaD

ABSOLUTELY. Strong case here.

MustafaD

I would like to add this suggestion: like AI slop ('report as AI-generated'), we could have a 'report as phishing' option under the shield icon 🛡.

MustafaD

MustafaD suggested (#10330) 🙂

kirkmc

As I commented on the other post, this isn't phishing, but there should be a way to report these.

MustafaD

I would find it really valuable when I —God willing— add members to my family subscription to be assured those notorious fake product download pages do not appear. My family might not be tech savvy. So I agree with Pleonasm.

Pleonasm

I am writing to raise the visibility of this issue within the Kagi community; and, to ask with respect, Kagi to respond with a statement clarifying their position on whether Kagi Search will be enhanced to actively suppress malware within search results.

Does Kagi not recognize that the existence of the issue is inconsistent with their goal of delivering "a safer and more productive search experience" to families?
What is the Kagi development team doing that is more important?
What is preventing Kagi from suppressing malware within search results using a resource such as URLhaus?
Does Kagi understand the marketing benefit that could arise from adding this capability?

nobodywasishere

Pleonasm

Yes we should be taking more steps to filter out malicious domains, as we have with nsfw domains a bit ago, pulling in trusted external sources. We already pull from a few scam lists but that can be expanded
Working on populating domain information from the index team into our domain info database for ads / trackers / rss links / etc. Automating scam lists can be a next step as part of that
We already use URLhaus and some others
Yes

Pleonasm

This thread has been active for five days and Kagi has yet to add an "Under Review" tag, perhaps suggesting that the goal of improving search result quality by actively suppressing malware websites is not of interest?

cc: @nobodywasishere

Pleonasm

Thank you, @nobodywasishere, for your clarifications and assistance. I hope you are successful in your quest to enhance the ability of Kagi Search "to filter out malicious domains" and I encourage Kagi to prioritize those foundational efforts. While Kagi will never be a primary security solution, it should be a robust first line of defense against malware, IMO.

Personally, I would be willing to pay a separate fee for an advanced Kagi add-on service that suppresses malware domains from search results that is built on a professional resource (e.g., the Web Reputation Feed by Bitdefender that "...draws on data from our global telemetry, encompassing over 500 million sensors, to expose malicious URLs, domains...").