Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Use Google Search Console to Hide Website Hacks

Google Search Console, known until May 2015 as Google Webmaster Tools, has been abused by malicious actors to improve blackhat search engine optimization (SEO) techniques and hide their presence on hijacked websites.

Google Search Console, known until May 2015 as Google Webmaster Tools, has been abused by malicious actors to improve blackhat search engine optimization (SEO) techniques and hide their presence on hijacked websites.

Cybercriminals often hijack legitimate websites for the benefit of their spam and malware operations. They are also increasingly abusing legitimate webmaster tools, researchers at web security company Sucuri warned last week.

Google Search Console is useful for webmasters because it allows them to improve search result performance, and quickly identify configuration and security issues. However, the features offered by the Google webmaster tool can also be highly useful to attackers.

They can use the console to collect statistics on their campaigns (e.g. clicks, search result stats, impressions), submit sitemaps to make their spammy pages easier to find by Google and possibly pass them off as legitimate, receive notifications when their hack is detected, and unverify legitimate owners to prevent them from learning that their website has been compromised.

As Sucuri pointed out, cybercriminals can easily verify ownership of a hijacked website in Google Search Console. There are several ways they can do this, but the most popular method seen by researchers involves uploading an HTML file provided by Google to the hijacked website. By having access to the site, they don’t need to hack the legitimate owner’s Google account to gain “owner” status in Search Console.

Google allows each website to have multiple owners. However, when a new owner is verifier, all existing owners receive a notification email which informs them that a new user has been added.

When website owners get this alert email and they know that no users should have been added, they can quickly take action to revoke the attacker’s access. However, if they don’t notice the email, the attacker can unverify them so that they no longer receive any notifications from Google. This allows the hacker to hide the infection and even trick Google’s threat detection systems into classifying the site as being clean by temporarily removing malicious code and requesting a new review from the search giant.

Advertisement. Scroll to continue reading.

The problem, according to Sucuri, is that legitimate owners are not notified when they have been unverified. Furthermore, if webmasters don’t add every version and all subdomains of their website to the Search Console, they will not get a notification if a new owner is added. For example, a webmaster needs to verify not just http://, but also http:// www., https://, and http://

Sucuri says it has spotted many forum posts from webmasters who noticed multiple new owners being added to their Search Console accounts. Some legitimate owners experienced difficulties in removing the malicious users because they could not find the files uploaded to the server by the attackers during the verification process. In some cases, even if the verification file is deleted, it might not be enough to remove the malicious webmaster.

“Usually these files are being uploaded via vulnerabilities in web applications or via backdoors that hackers install after breaking into websites. That’s why deleting the file and changing FTP passwords is usually not enough,” explained Denis Sinegubko, founder of Unmask Parasites and senior malware researcher at Sucuri.

The analysis of a Japanese spam campaign that uses tens of thousands of websites as “doorway” pages leading to ads for cheap and fake items has revealed why it’s difficult for many victims to find the malicious ownership verification file.

The attackers use a PHP script that adds rewrite rules to the .htaccess file and makes it look like the spam and verification files are at the top level of the website when they are actually hidden in a subfolder.

This is possible because attackers often verify ownership of the subdirectories containing their spammy pages and malicious code, not the site’s root level. Furthermore, the verification files can be difficult to detect if their content is generated dynamically by the malicious PHP script.

Sucuri advises webmasters to verify ownership of all their websites, including their subdomains, to ensure that they are notified in case of an attack. Administrators should take these notifications seriously and take immediate action to block the attack and identify its source, the security firm said. In order to prevent malicious actors from removing them as owners, webmasters should verify ownership via a domain name provider, via a Google Analytics tracking code, or via a Google Tag Manager container snippet.

While Google has done a pretty good job at alerting website administrators, Sucuri believes the Internet giant should also send out notifications when an owner is unverified, and even automatically take action when suspicious activity is detected (e.g. when many accounts are verified in a short period of time).

“Verification of malicious users as site owners in Google Search Console is a relatively new phenomenon and it’s still not clear if this is something that hackers will adopt as a useful tool in their arsenal or abandon as something of questionable value. In either case, site owners should be prepared for such attacks and even take advantage of the Google’s notification system,” Sinegubko said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...