Security Experts:

Attackers Use Google Search Console to Hide Website Hacks

Google Search Console, known until May 2015 as Google Webmaster Tools, has been abused by malicious actors to improve blackhat search engine optimization (SEO) techniques and hide their presence on hijacked websites.

Cybercriminals often hijack legitimate websites for the benefit of their spam and malware operations. They are also increasingly abusing legitimate webmaster tools, researchers at web security company Sucuri warned last week.

Google Search Console is useful for webmasters because it allows them to improve search result performance, and quickly identify configuration and security issues. However, the features offered by the Google webmaster tool can also be highly useful to attackers.

They can use the console to collect statistics on their campaigns (e.g. clicks, search result stats, impressions), submit sitemaps to make their spammy pages easier to find by Google and possibly pass them off as legitimate, receive notifications when their hack is detected, and unverify legitimate owners to prevent them from learning that their website has been compromised.

As Sucuri pointed out, cybercriminals can easily verify ownership of a hijacked website in Google Search Console. There are several ways they can do this, but the most popular method seen by researchers involves uploading an HTML file provided by Google to the hijacked website. By having access to the site, they don’t need to hack the legitimate owner’s Google account to gain “owner” status in Search Console.

Google allows each website to have multiple owners. However, when a new owner is verifier, all existing owners receive a notification email which informs them that a new user has been added.

When website owners get this alert email and they know that no users should have been added, they can quickly take action to revoke the attacker’s access. However, if they don’t notice the email, the attacker can unverify them so that they no longer receive any notifications from Google. This allows the hacker to hide the infection and even trick Google’s threat detection systems into classifying the site as being clean by temporarily removing malicious code and requesting a new review from the search giant.

The problem, according to Sucuri, is that legitimate owners are not notified when they have been unverified. Furthermore, if webmasters don’t add every version and all subdomains of their website to the Search Console, they will not get a notification if a new owner is added. For example, a webmaster needs to verify not just http://, but also http:// www., https://, and http://

Sucuri says it has spotted many forum posts from webmasters who noticed multiple new owners being added to their Search Console accounts. Some legitimate owners experienced difficulties in removing the malicious users because they could not find the files uploaded to the server by the attackers during the verification process. In some cases, even if the verification file is deleted, it might not be enough to remove the malicious webmaster.

“Usually these files are being uploaded via vulnerabilities in web applications or via backdoors that hackers install after breaking into websites. That’s why deleting the file and changing FTP passwords is usually not enough,” explained Denis Sinegubko, founder of Unmask Parasites and senior malware researcher at Sucuri.

The analysis of a Japanese spam campaign that uses tens of thousands of websites as “doorway” pages leading to ads for cheap and fake items has revealed why it’s difficult for many victims to find the malicious ownership verification file.

The attackers use a PHP script that adds rewrite rules to the .htaccess file and makes it look like the spam and verification files are at the top level of the website when they are actually hidden in a subfolder.

This is possible because attackers often verify ownership of the subdirectories containing their spammy pages and malicious code, not the site’s root level. Furthermore, the verification files can be difficult to detect if their content is generated dynamically by the malicious PHP script.

Sucuri advises webmasters to verify ownership of all their websites, including their subdomains, to ensure that they are notified in case of an attack. Administrators should take these notifications seriously and take immediate action to block the attack and identify its source, the security firm said. In order to prevent malicious actors from removing them as owners, webmasters should verify ownership via a domain name provider, via a Google Analytics tracking code, or via a Google Tag Manager container snippet.

While Google has done a pretty good job at alerting website administrators, Sucuri believes the Internet giant should also send out notifications when an owner is unverified, and even automatically take action when suspicious activity is detected (e.g. when many accounts are verified in a short period of time).

“Verification of malicious users as site owners in Google Search Console is a relatively new phenomenon and it’s still not clear if this is something that hackers will adopt as a useful tool in their arsenal or abandon as something of questionable value. In either case, site owners should be prepared for such attacks and even take advantage of the Google’s notification system,” Sinegubko said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.