14 DAY TRIAL // A new hacking trick, in which attackers break into a website and then take over its Google Search Console account (formerly Webmaster Tools) to hide and prolong their infections, was discovered by Sucuri.
The Google Webmaster Tools, rebranded as Google Search Console in May 2015, offers website owners tools to optimize their search engine ranking by analyzing traffic, submit updated sitemaps, and even detect spam campaigns or malicious code on their domains.
It is a crucial tool for all webmasters who care about SEO and is widely used by almost all developers.
Attackers register their own account in the Google Search Console
According to Sucuri's staff, the inherent problem lies in how the service was designed to work. Because running a website usually involves a team of people ranging from developers to SEO experts, and from marketing personnel to sales people, the Search Console allows multiple users to register as the website's owner.
The simplest method is to add an HTML file to the website's server, which the Google Search Console uses to authenticate users. The problem with this is obvious. If a hacker has gained access to a site, they can easily put their own HTML authentication file on the server's FTP and be granted access to its Search Console.
Once verified on a hacked website, attackers can use it to submit new spammy pages to Google from a verified source, get statistics for their campaigns, receive notifications when their malicious code is identified by Google, and update sitemaps to hide their malicious attacks for even longer periods of time.
Naturally, Google sends email alerts whenever a new user is added to Search Console. But if a domain is unclaimed or the other owners ignore these notifications, attackers could easily go undetected, or could also remove the HTML files used to authenticate the legitimate owners from the site's FTP, effectively locking them out of the site.
And to be fair, it's quite easy to ignore these messages. Because developers and webmasters usually handle tens of websites, these alerts are usually overlooked or are filtered out from the inbox into a special folder.
Removing a hacker from the Google Search Console is trickier than you'd think
In the cases where webmasters were able to identify intrusions, some of them found it really hard to remove the hackers from their Search Console. This was because attackers used a PHP script and various .htaccess rewrite rules to dynamically reproduce the HTML authentication file when it was removed.
Unless this PHP script was also identified and removed, attackers would have continued to have access to the Search Console for the specific website.
There are steps you can take to protect your sites
To prevent these types of intrusions, Sucuri advises webmasters to register in the Google Search Console as owners of all their domains, including all their subdomains.
To prevent attackers from easily removing their verification HTML files, Sucuri also advises webmasters to use alternative verification mechanisms, like via the domain name provider, Google Analytics tracking code, or via a Google Tag Manager container snippet.
Activating these alternative authentication methods means that an attacker cannot remove you as the website owner unless they also compromise your domain registration or Google account.
Additionally, all webmasters should actively search for "new owner" notifications on a daily basis in their inbox.
