So it appears that one of the major targets is the “Language” attribute of your referrals. But, since they all refer to the same, fake, domain we can easily filter these out.
Normally, you’ll see things like
en-us, or maybe
(not set) but currently there are some being injected that make reference to a fake version of Google, using a non-standard “G” to trick you. You might not even see this text unless you have the “User > Language” data being shown on your referrals but it’s likely there. Once you’ve set up the filter you’ll see how many actual references there are when you “verify” it.