Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search

Not to be confused with Googe and Gaggle

TypeBrowser hijacker
OriginAshburn, Virginia
Programming LanguageHTML, JavaScript, and CSS
File TypeHyperText Markup Language (.html,.htm)
This box: view  talk  edit

Goggle.com was considered by some to be a dangerous typosquatting site for Google.com made in 1998 (but turned into malicious site in 2004). It would appear if a user mistyped the domain "Google.com". However, "goggle" is a defined word to mean "to stare with wide or protuberant eyes ". Additionally, Google has apparently agreed that "the word goggle will not be considered as a misspelling of the word google."

The website was active from 2004 to 2007. Once it was accessed, the domain would instantly download several viruses and other malware and start to spam pop-ups, some of which containing pornographic imagery. In addition to the malware it downloaded on the victim's computer, it used the WMF exploit to install the rogue antivirus SpySheriff. All the malware together had the potential to damage the computer severely and may require the victim to re-install their operating system, losing all of their files and data on the computer. In 2006, the site was used as a video/ad for McAfee SiteAdvisor (Now McAfee WebAdvisor) by Greg Bertrand.

Goggle.com and Goggle.org are blacklisted from the Wayback Machine.


2004 - 2019

In 2006, The Site was featured in a McAfee SiteAdvisor (Now McAfee WebAdvisor) video/ad by Greg Bertrand as "Spyware Rubbernecking" in which the person in the video goes to Goggle.com. The song used in the video is Stipendium Peccati. It was uploaded on September 29th, 2006 by YouTube User Shane Keats. However, the McAfee ad is the only known documented video in 2006, As of 2007, Google was offered the right of first refusal to purchase goggle.com but declined, in 2009 became a survey that a user could take in order to win popular gadgets, such as an iPhone or an iPad. The survey was taken down in either 2012 or 2013.

As of 2011, Google Inc. filed a second UDRP complaint against Goggle.com, Inc. over the domain goggle.com. (It previously filed a UDRP complaint against Knowledge Associates over the domain goggle.com but had entered into a settlement agreement which allowed Knowledge Associates to continue to use/own goggle.com. Later, Google was offered the right of first refusal to purchase goggle.com but declined.) Google did not submit the pre-existing settlement agreement regarding goggle.com and "the only reference to the fact of its existence was hidden away in the only footnote to its entire 15-page Complaint." Goggle.com Inc. submitted the "Co-existence Agreement" which allows for the use of goggle.com subject to certain terms and conditions.

The UDRP was resolved on the basis of the panel declining jurisdiction. As an assignee of the original Co-existence Agreement, there exists a contractual agreement between Google Inc and Goggle.com Inc in relation to the registration and use of the domain name,

"The Panel declines jurisdiction over this Complaint". What the panel decided is that the UDRP didn't apply to the dispute. There was no determination made of any UDRP element.

As of 2016, The survey was brought back, but instead of the free iPhone "offer" at the end, it redirects the user to a "free movie" phishing website based in Cyprus. However, if the visitor removes everything after "registration" in the URL for that site, it turns out to actually be a game host. It is unable to infect iOS devices. However, In late 2016, the site was turned into a shopping site, although all of its entries would just redirect to Amazon entries, After one year later, The domain website appeared to be dead since there was nothing on its HTML data other than the word "goggle".

2019 - present

It used to redirect to tango-deg.com, which is either a shut-down web page, a fake Adobe Flash Update, or a survey scam that depends on the region the user lives in.

As of August 2019, it will redirect depending on the region the user lives in. In the United States, it will currently redirect to top5-bestmealdelivery.com. A "Top 5 Meal Delivery Service" Comparison website, making it, for now, an inactive virus. In some areas, it will take the user to a holding page with nothing but the text "Goggle.com Inc." on the top left, as the redirect code doesn't activate.

As of September 19th, 2019, it also used redirects to a survey which says with a banner: "Your opinion is important. This 25-second US election study is being conducted by Goggle Inc. powered by RlWl. No personally identifiable data are collected." In some areas, it will still take the user to the "Goggle.com Inc." page, but this time the domain name redirects to blog.goggle.com. 

In October 2019, it redirects to blog.goggle.com which hosted presets for Photoshop and Lightroom for $27 which was Copyright by Tim Shields Landscape Photography, before it was moved to a blogging site.  

In November 2019, it became a blogging site, in some places, the website refused to load (likely offline).  

As of November 24, 2019, there is a redirect to a US politics survey at goggle.com and a "diary" about updates on American politics (no redirect) at blog.google.com. These may or may not be related. In addition, there's more supporting evidence that these two different polls are related rather than not, such as RIWI being mentioned as an important middleman for gathering voting data on both of the sites.

As of November 24, 2019, at an unknown time, the domain was later purchased by another unknown source, it became a redirect to a poll that was the same redirect in the old Googe, which told the user to enter their age, and gender. This website may redirect to a malicious add-on for Google Chrome. It may also redirect to a pornographic website, which crashed if the user tried to exit it, As of December 2020, it redirects to "Goggle.com Data Diary", a political blog now hosted by WordPress. This blog does not contain any active malware.