Google Search Console as Hacker Tool

Tuesday, September 15, 2015 @ 05:09 PM gHale

Bad guys are attacking the Google Search Console in an effort to improve blackhat search engine optimization (SEO) techniques and also hide their presence.

Up until May 2015 the Google Search Console was Google Webmaster Tools.

IT Getting an OT Education
Tough Ransomware Targets Android
PR Hack Nets Attackers Millions
Google Patches Android Mediaserver Flaw

Attackers often hijack legitimate websites to aid their spam and malware operations. They are also increasingly abusing legitimate webmaster tools, researchers at web security company Sucuri said.
Google Search Console is useful for webmasters because it allows them to improve search result performance, and quickly identify configuration and security issues. However, the features offered by the Google webmaster tool is also a quality tool for attackers.

They can use the console to collect statistics on their campaigns (e.g. clicks, search result stats, impressions), submit sitemaps to make their spammy pages easier to find by Google and possibly pass them off as legitimate, receive notifications when their hack end up detected, and unverify legitimate owners to prevent them from learning that their website has suffered compromise.

As Sucuri pointed out, cybercriminals can easily verify ownership of a hijacked website in Google Search Console. There are several ways they can do this, but the most popular method involves uploading an HTML file provided by Google to the hijacked website. By having access to the site, they don’t need to hack the legitimate owner’s Google account to gain “owner” status in Search Console.

Google allows each website to have multiple owners. However, when a new owner is verifier, all existing owners receive a notification email which informs them that a new user added in.

When website owners get this alert email and they know they added no users, they can quickly take action to revoke the attacker’s access. However, if they don’t notice the email, the attacker can unverify them so they no longer receive any notifications from Google. This allows the hacker to hide the infection and even trick Google’s threat detection systems into classifying the site as being clean by temporarily removing malicious code and requesting a new review from the search giant.

The problem, according to Sucuri, is that legitimate owners do not receive notification when they have been unverified. Furthermore, if webmasters don’t add every version and all subdomains of their website to the Search Console, they will not get a notification if a new owner ends up added in.