Hacking Google Search Console: How and Why Hackers Take Over Your Site in Google
There’s a new hack on the rise, and it’s not well known among security professionals. Hacking Google Search Console is a new way for hackers to steal web traffic, eavesdrop on visitor insights and analytics, and even completely remove the site from Google search. It’s a sneaky attack that’s completely invisible to the website owner until he realizes that search traffic and sales have plummeted.
What is Search Console?
You don’t need to sign up for Search Console to have your site indexed in Google. For this reason, not every site owner is aware that the application even exists. It’s well worth the effort to set up a Search Console account for your site. You can use it for several reasons including:
- View links from other webmasters to your site
- Review site impressions in search for each query
- Identify the keyword phrases used to find your site
- Your average position in search for each keyword phrase
- Receive notifications for crawl errors or manual action (penalty) against the site
- Review the way Google sees your site including mobile compatibility
Take a look at a typical view in the Search Analytics section.
The search queries have been removed, but as you can see, there is plenty of information to gather from the account. You can see the total impressions in search (red line), the click-through rate (blue line), and the average position for the site.
When you sign up for a Search Console account, you then verify your site using several methods. The most common method is to upload an HTML file generated by the application. It’s this method used to hack into your Search Console account. If you don’t have a Search Console account set up, the hacker can silently use it without your knowledge. It’s best if you at least have an account to review any strange activity on your site.
How a Hacker Gains Access to Search Console
To upload a file to your account, the attacker first needs his own Search Console account. The HTML file generated contains a hex value that is unique for each user. Using this file, you can give access to other users such as a marketing person who needs to see trends in search analytics on your site. Each person with access to your site has an HTML file uploaded to the root directory.
A hacker needs access to your root directory. This is usually done with FTP access. The hacker can gain access to your FTP directory using numerous methods. Keyloggers, phishing attacks and even social engineering can be used to gain access to FTP directories. Once he has access, he uploads his own HTML file to the root directory. Rarely do site owners review files on a site, so the HTML file usually goes unnoticed for months.
The hacker uploads his own generated HTML file, and now he can register your site with his own Search Console.
What Can the Hacker Do With Search Console Access?
It seems like a harmless vulnerability since the hacker can only review statistics on the site, but he can use search console for several reasons. The worst scenario is removing your site from the index. This is usually done for revengeful reasons and isn’t the primary goals for a hacker. With the site completely removed from the index, the site no longer gets search engine traffic, and it isn’t what the hacker wants.
First, he reviews the links to the site. The hacker can use this list to attack other sites or use them to redirect referral traffic to his own site. The attacker has access to FTP, so he can then edit your .htaccess. This file contains directives for your site pages. The .htaccess file can be used to redirect any Google traffic to his site.
Here is an example of an .htaccess entry that redirects to the hacker’s malicious PHP file.
RewriteRule ^([0-9]+)/google(.*)html$ wp-content/file.php?google=$2 [L]
This rewrite rule sends all Google traffic to the file named file.php. This file then loads the content of the hacker’s site. The hacker’s site is usually an affiliate site that sells pharmacy products or knockoff products. Viagra, fake handbags, Louis Vuitton, and Ray Ban are popular niches that have several black hats working in the industry. As a matter of fact, you can do a search in Google to identify if a site is hacked with one of these attacks.
Take a look at the following image.
Using the “site” operator, the search finds the value “handbags” on a site that sells curriculum tools. Notice the results return links in the meta description to several different sites selling handbags. This is the biggest sign that a site is hacked, but webmasters rarely ever check their search results using spammy queries. For this reason, the hacked site goes unnoticed.
In the image, notice that the spammy queries point to a file embedded deep within the site structure. Clicking one of these links would result in the hacker’s site content showing. The link redirects the search user to the hacker’s site. This is also how the hacker steals traffic and link juice from the site owner. Because the pages redirect to another site, the hacker’s site gains PR (PageRank) from the site owner’s links. The attacker can see these links in Search Console.
The pages only redirect when a searcher finds the page in Google. It doesn’t redirect when someone directly accesses the site. This is also done using either the .htaccess file or within the site code. This technique continues to hide the hack from the site owner. Since most site owners only use outside tools or even search their brand name in Google without clicking the links, the hack goes unnoticed unless the owner finds the spammy results in search queries. These spammy pages don’t normally rank high when the brand name is searched, so the site owner doesn’t see them with a cursory review of his site in Google.
What You Can Do to Defend Your Site
Aside from having the latest antivirus updates to avoid keyloggers and malware, you can also take additional steps.
The first step is to sign up for a Google Search Console account. It’s free and linkable to your current Google account. This also lets you see how the site registration process works, so you can better understand the way the hack works. The other advantage is that you receive notifications when a new owner is registered. You also get notifications if Google picks up on the hack and sends you an alert.
Hackers often remove site owners from Search Console registration, so checking your site every week helps detect any anomalies.
Every week, it also helps to perform a standard site query in Google with spammy niche phrases. For instance, type “site:yoursite.com handbags” into Google and you’ll find any hacked pages for that phrase.
You should also change your passwords for FTP access and even your hosting account every once in a while. This will stop hackers from continually hacking your site if you can’t figure out how they access your site.
Overall, some common sense and standard search reviews can save you a lot of lost traffic and visitors. Losing Google search ranking can devastate a business, so take a few minutes each week to check your site for suspicious activity.