Website hackers hijack Google webmaster tools to prolong infections

Webmasters should regularly check the list of verified owners for their websites in the Google Search Console

Hackers who compromise websites are also increasingly verifying themselves as the owners of those properties in Google's Search Console. Under certain circumstances this could allow them to remain undetected longer than they otherwise would be, researchers warn.

The Google Search Console, formerly known as the Google Webmaster Tools, is a very useful service for administrators to understand how their websites perform in search results.

In addition to providing analytics about search queries and traffic, it also allows webmasters to submit new content for crawling and to receive alerts when Google detects malware or spam issues on their websites.

That last part is very important, because website infections can quickly lead to lost traffic and reputation. Users who click on links in search results that lead to websites hosting malware or spam will receive scary warnings until those websites are cleaned by their owners.

Google allows more than one person to claim ownership over a website in his or her  own Search Console accounts. That's not unusual because running a website usually involves multiple people. The owner, the site administrator and the search optimization specialist can, and often are, separate individuals and they can all benefit from the Search Console data in their respective roles.

Getting verified as a website owner in the context of the Google Search Console can be done in different ways, but the easiest is to upload an HTML file with a code that's unique for every user into the website's root folder.

However, many of the vulnerabilities that allow attackers to inject malicious code into websites also give them the ability to create rogue files on the underlying Web servers. Therefore, they can use such flaws to verify themselves as new website owners in the Google Search Console by creating the needed HTML files.

Such abuses are actually increasingly common, according to researchers from Web security firm Sucuri, who have seen many webmasters complaining on technical support forums about rogue owners showing up in their Google Search Console.

In one case, a webmaster found over one hundred "verified owners" listed in his console, the Sucuri researchers said in a blog post.

Many hackers use compromised websites to create rogue pages that abuse their search rankings to drive traffic to spam content. Those pages are known as doorways and the technique is called black hat search engine optimization (BHSEO).

According to the Sucuri researchers, by becoming verified owners for compromised websites, attackers can track how well their BHSEO campaigns perform in Google Search. They can also submit new spam pages to be indexed faster instead of waiting for them to be discovered naturally by Google's search robots, they can receive alerts if Google flags the websites as compromised, and, most importantly, they can remove legitimate owners of the site from the Search Console.

When a new owner is verified for a website, existing owners will receive email notifications from Google. However, those notifications can be easy to miss for a variety of reasons -- for example, if they go to an email address that's rarely checked, if they get lost among other automated and non-urgent notifications received on a busy day or if they arrive during holidays or vacations.

If the legitimate owners don't read the notifications and take immediate action, the attackers can actually remove them from the Search Console verification list by deleting their HTML verification files from the server. This will trigger no notifications to the real owners, according to Sucuri senior malware researcher Denis Sinegubko.

If Google later detects a website compromise and automatically alerts its verified owners, only the attackers will get the notification, Sinegubko said. They can then temporarily remove their doorways, request a review from the Google antispam team to get the website unblocked in search results and put the doorways back with different URL patterns, he said.

If the real owners are no longer verified, it will take them a long time to realize that something happened, if they ever do. Meanwhile, the attackers will continue to exploit the website.

Even if the real owners spot the rogue owners, it's not always easy to remove them.

The Sucuri researchers have seen tricks used by attackers that rely on URL rewrite rules in the htaccess configuration file and dynamically generated pages. These will result in Google's verification robots detecting the necessary HTML files even if they don't physically exist on the server and the real administrators can't find them.

Webmasters can take several actions to prepare themselves for such attacks, according to Sinegubko.

First, they should make sure that they verify themselves as owners for all of their websites, even if they don't plan to use the Google Search Console very often.

When they do this, they should opt for alternative verification methods that Google accepts and which are not easy to remove without attackers also compromising their Google or domain registration accounts. This will prevent attackers from removing their verification by simply deleting files from the server.

Finally, whenever they receive "new owner" notifications from Google, webmasters should thoroughly investigate them.

"In most cases it means that they had full access to your site, so you should close all the security holes and remove any malicious content that the hackers might have already created on your site," Sinegubko said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?