Why are spammers verified as owners of an infected site?

In the Google Webmaster Forum where I am a collaborator, people usually arrive with their infected sites looking for a solution, the symptoms they detect are very varied but many times they comment that someone unauthorized has verified himself as the owner of their sites in the Search Console (ex Tools for Webmasters).

In order for someone from outside to verify themselves, they have to have some control over the web to be able to upload an HTML file to the server or add a verification meta tag. There are other methods to verify the sites, but these two are usually the most used.

In a vulnerable site, uploading files arbitrarily is possible, so it would not be strange for them to upload the Google HTML file, but many times I have asked myself Why are spammers verified as owners when they infect a site?

When a new user is verified in the Search Console, the original owner or administrator receives an email warning like the one above. So it makes no sense for attackers to verify themselves, because automatically they are giving themselves away instead of going unnoticed as long as possible.

However, the fact that they verify themselves as owners makes a lot of sense and is something that allows them to improve their spam campaigns.

Generally, an owner who doesn't update their site, be it a WordPress or Joomla for example, doesn't pay much attention to the Search Console and its warnings either. Therefore, the e-mail of the new verified owner can be ignored or ignored, even if its meaning is not understood.

In addition, many webmasters do not have their sites added to the Search Console, so they will never receive warnings. They can also have the wrong versions verified, since a site is not the same with www and without www, or a site with http and https, for each of the versions different messages may be received.

Once spammers have access to the Search Console they can even delete the original owner so that it stops receiving future messages, such as security warnings that alert the site infection.

They can also submit a Sitemap with all the spam URLs they have created within the site so they can be indexed faster. You will also use tools like Browse like Google to send pages to the index, and promptly remove them from the results.

They can also react to a site block that will deactivate their campaigns, if, for example, Google detects that there is spam or malicious content and blocks the site, the attacker will receive a warning in the Search Console and can fix it by changing the location of the spam and thus return to benefit from the infected site.

This quick reaction could also prevent the original owner from seeing the security warnings that normally appear in browsers when trying to access the site.

Now it is clearer why spammers are verified as owners of the sites they infect, although it is true that it can give them away, it also allows them to have much greater and more effective control.

Eliminating unauthorized owners:

From the Search Console it is possible to eliminate other owners and in that sense the help of Google is quite clear explaining all the steps.

Keep in mind that just eliminating spammer owners does not solve the problem, since they will re-verify if the site is still vulnerable.

For the removal to be effective, in addition to securing the site so that it does not happen again, the verification method used by the spammer must be removed. If, for example, I uploaded an HTML file to be verified, that file must be deleted, otherwise the owner spammer cannot unsubscribe or cancel.

This is usually a problem and it is not uncommon for users to comment that they do not find the verification HTML file or the meta tag in the source code at the root of the server. And it's kind of interesting because attackers use different techniques to hide these verification methods.

A simple example trick, adding the following line in the htaccess the google html check file seems to load from the root of the domain, but in reality the actual file will be found out of the root in the directory / spammer /:

RewriteRule ^ googlec123456789 .html $ /spammer/google123456789.html (L, NC)

This camouflaged code in htaccess can be difficult to find, also if placed in a top-level configuration file within the server. There are more complex methods that also involve PHP, you can see a classic example here along with other codes that are often used by spammers.

So be careful with unauthorized owners and always be on the lookout for messages from the Search Console.