Website hackers hijack Google webmaster tools to prolong infections

11.09.2015
Hackers who compromise websites are also increasingly verifying themselves as the owners of those properties in Google's Search Console. Under certain circumstances this could allow them to remain undetected longer than they otherwise would be, researchers warn.

The Google Search Console, formerly known as the Google Webmaster Tools, is a very useful service for administrators to understand how their websites perform in search results.

In addition to providing analytics about search queries and traffic, it also allows webmasters to submit new content for crawling and to receive alerts when Google detects malware or spam issues on their websites.

That last part is very important, because website infections can quickly lead to lost traffic and reputation. Users who click on links in search results that lead to websites hosting malware or spam will receive scary warnings until those websites are cleaned by their owners.

Google allows more than one person to claim ownership over a website in his or her  own Search Console accounts. That's not unusual because running a website usually involves multiple people. The owner, the site administrator and the search optimization specialist can, and often are, separate individuals and they can all benefit from the Search Console data in their respective roles.

Getting verified as a website owner in the context of the Google Search Console can be done in different ways, but the easiest is to upload an HTML file with a code that's unique for every user into the website's root folder.

However, many of the vulnerabilities that allow attackers to inject malicious code into websites also give them the ability to create rogue files on the underlying Web servers. Therefore, they can use such flaws to verify themselves as new website owners in the Google Search Console by creating the needed HTML files.

Such abuses are actually increasingly common, according to researchers from Web security firm Sucuri, who have seen many webmasters complaining on technical support forums about rogue owners showing up in their Google Search Console.

In one case, a webmaster found over one hundred "verified owners" listed in his console, the Sucuri researchers said in a blog post.

Many hackers use compromised websites to create rogue pages that abuse their search rankings to drive traffic to spam content. Those pages are known as doorways and the technique is called black hat search engine optimization (BHSEO).

According to the Sucuri researchers, by becoming verified owners for compromised websites, attackers can track how well their BHSEO campaigns perform in Google Search. They can also submit new spam pages to be indexed faster instead of waiting for them to be discovered naturally by Google's search robots, they can receive alerts if Google flags the websites as compromised, and, most importantly, they can remove legitimate owners of the site from the Search Console.

When a new owner is verified for a website, existing owners will receive email notifications from Google. However, those notifications can be easy to miss for a variety of reasons -- for example, if they go to an email address that's rarely checked, if they get lost among other automated and non-urgent notifications received on a busy day or if they arrive during holidays or vacations.

If the legitimate owners don't read the notifications and take immediate action, the attackers can actually remove them from the Search Console verification list by deleting their HTML verification files from the server. This will trigger no notifications to the real owners, according to Sucuri senior malware researcher Denis Sinegubko.

If Google later detects a website compromise and automatically alerts its verified owners, only the attackers will get the notification, Sinegubko said. They can then temporarily remove their doorways, request a review from the Google antispam team to get the website unblocked in search results and put the doorways back with different URL patterns, he said.

If the real owners are no longer verified, it will take them a long time to realize that something happened, if they ever do. Meanwhile, the attackers will continue to exploit the website.

Even if the real owners spot the rogue owners, it's not always easy to remove them.

The Sucuri researchers have seen tricks used by attackers that rely on URL rewrite rules in the htaccess configuration file and dynamically generated pages. These will result in Google's verification robots detecting the necessary HTML files even if they don't physically exist on the server and the real administrators can't find them.

Webmasters can take several actions to prepare themselves for such attacks, according to Sinegubko.

First, they should make sure that they verify themselves as owners for all of their websites, even if they don't plan to use the Google Search Console very often.

When they do this, they should opt for alternative verification methods that Google accepts and which are not easy to remove without attackers also compromising their Google or domain registration accounts. This will prevent attackers from removing their verification by simply deleting files from the server.

Finally, whenever they receive "new owner" notifications from Google, webmasters should thoroughly investigate them.

"In most cases it means that they had full access to your site, so you should close all the security holes and remove any malicious content that the hackers might have already created on your site," Sinegubko said.

Lucian Constantin

Zur Startseite