Internet security watchdogs Sucuri have published a PSA of sorts, warning site owners about malicious “new owner” Google Search Console verifications.
Sucuri says it observed a trend this past summer where black-hat SEOs are trying to verify additional accounts as owners of hacked sites in Google Search Console.
Attackers aim to verify themselves as owners of hacked sites because it gives them access to information sent from Google to the site owner. Sucuri speculates that there may be four reasons why black hat SEOs are doing this.
- To gather statistics about how their black-hat SEO campaigns are performing through accessing the “Search Analytics” section of Search Console.
- To submit sitemaps containing the spammy new pages they have added to the hacked site, which helps Google discover and index the pages more quickly.
- To view notifications sent by Google about the site being hacked. This helps black-hat SEOs gauge how well Google can detect doorway pages.
- To unverify the accounts of legitimate site owners so they don’t receive notifications that their site has been hacked.
If your site has been hacked, and the attackers verify themselves as owners of your site, you will be immediately notified via email. This will give you an opportunity to investigate the issue as soon as it arises.
Sucuri explains that real danger lies in the amount of time that passes between Google sending that email and you reacting to it.
It’s incredibly easy for a verified site owner to un-verify other people in search console, so the more time that elapses the greater the opportunity for the attacker to unverify your account.
Sucuri points to discussions on the Google Webmaster Forum in an effort to prove that attackers are in fact verifying themselves as owners of hacked sites in Search Console. According to the discussions, the attackers will often verify more than one new owner, in some cases over 100 new owners.
In order to remove the attackers as owners of your site in Search Console, you’ll need to remove the files they added during the verification process.
One way to verify a site is through uploading an HTML file provided by Google. If you have received a notification about new owners being added then look for any new files that have been uploaded, and remove them if you don’t recognize them.
Sucuri suggests that this technique is so new that it’s not clear if it will widely adopted by hackers or abandoned after proving to be of little value.
In any case, keep an eye out for “new owner” notifications from Google and respond accordingly.