igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Hackers hijack website analytics for black hat SEO and more

A new report shows that hackers are manipulating the ownership settings of the Google Search Console in order to hijack website analytics for use in black hat SEO campaigns and more.

A report from cloud-based security company Sucuri Inc. said that a new trend with hackers is to add malicious owner accounts to a website's Google Search Console in order to add spam content and run black hat SEO campaigns.

Denis Sinegubko, senior malware researcher at Sucuri, based in Menifee, Calif., wrote in a blog post that once a hacker has gained access to a website's Google Search Console -- formerly Google Webmaster Tools -- it is possible to remove other verified site owners, gather statistics for use in black hat SEO campaigns, submit sitemaps of spam content that will then be quickly discovered by Google, and get site notifications to better learn how quickly Google can detect a hack.

Sinegubko said Google allows for multiple owners of a website to be entered in the Search Console, and being granted ownership status in the Search Console usually requires proof of access to the website file server, control of the DNS records or a related Google service, such as Analytics.

These types of hacks can be hard to detect, because malicious actors can unverify owners from the Google Search Console, and those owners will not be notified of such action and will not receive notifications of any subsequent changes to the site settings.

One of the most popular ways to gain verification is to get access to a website, then find the Google site verification code within a special HTML file that Google generates and the website owner uploads to the website.  One of these files can be used to verify multiple sites.

Worse, Sinegubko said that removing a malicious owner can be quite difficult. In some cases, webmasters would receive notifications of new owner activity, but were unable to find the HTML files Google said needed to be deleted in order to unverify the hacked accounts.

Sinegubko said two things that Google could do to mitigate the issue would be to send "goodbye" notifications to owners who have been unverified or when multiple new owners have been added, both of which could serve as a warning of malicious activity.

Their aim is to get indexed by Google. So, if you search your site for typical spammy keywords, you might find pages that don't belong there.
Denis Sinegubkosenior malware researcher at Sucuri

Google did not respond to comment requests at the time of this writing.

According to Sinegubko, the basics to mitigating risks of this type of attack start with taking "new owner" notifications seriously, and acting quickly if you think they are malicious. However, there are more ways to detect a hack -- even if the attacker has unverified the real owner and notifications are no longer coming through.

Sinegubko said attacks could be spotted through malware scans, Google alerts for "spammy keywords" and through integrity controls, because the hacks involve creating or modifying files.

"Their aim is to get indexed by Google. So, if you search your site for typical spammy keywords, you might find pages that don't belong there," Sinegubko said. "Webmasters should only use the keywords that are not likely to be found in their legitimate content. A more broad keyword that helps reveal spam on hacked sites is 'cheap' -- although, it may produce noise, since it's more common in normal webpages."

Next Steps

Learn how to stop search engine optimization security attacks.

Learn more about black hat link-building.

Dig Deeper on Web security tools and best practices