Pierluigi Paganini September 15, 2015

Experts at Sucuri revealed that cybercriminals are abusing Google Search Console to hide their presence in compromised websites, administrators are advised!

Security experts at Sucuri firm have discovered cyber criminals are increasingly abusing legitimate webmaster tools (Google Search Console) for black hat SEO and hide their presence on compromised websites.

The operation for crooks is quite simple, they just need to upload an HTML file provided by Google to the hijacked website.

“When hackers get access to a website, it’s easy for them to create this file and verify themselves as an owner. Here is some further evidence from the forum:

• Search Console Account Hacked: “An HTML verification file is being placed on my server in the root directory. I am not placing it there, and it’s not being placed there using my FTP account.”
• Unauthorized verification of webmaster owners: “And in my site’s file manager, I spotted these whole verification HTML files just created recently, and I have deleted those unknown files.“

Usually these files are being uploaded via vulnerabilities in web applications or via backdoors that hackers install after breaking into websites. That’s why deleting the file and changing FTP passwords is usually not enough” explained by Sucuri.

With this trick, cyber criminals don’t need to hack the legitimate owner’s Google account to assign their profile the status of “owner” in the Google Search Console.

Google allows each website to have multiple owners, but when a new one is verified, all the other owners receive a notification email. The email is sent to alert them and allow them to revoke the new ownership in case of abuses. The problem is that if the legitimate owners don’t see the notification email, the attacker can revoke their status of “verified” owner so that they no longer receive any notifications.

In this way, attackers can hide their presence and avoid Google’s threat detection systems.

As explained by Sucuri, the problem is related to the lack of notification to the legitimate owners when they have been unverified.

The researchers have discovered many forum posts from webmasters of various websites who noticed multiple new owners being added to their Google Search Console accounts.

The experts at security recommend webmasters to verify ownership of all their websites, including their subdomains, a prompt response is an effective defense against such attacks.

Experts at Sucuri suggested the following methods to avoid attackers to be able to easily unverify your account:

• Via a domain name provider;
• Via a Google Analytics tracking code;
• Via a Google Tag Manager container snippet.

Unlike the HTML file and the Meta tag verification methods, these three require hackers to have access to your Google and domain name registrar accounts in order to be able to unverify you.

Pierluigi Paganini

(Security Affairs – Google Search Console, cybercrime)