Respond

GOOGLE says your website may be HACKED, let’s investigate

It all started with a screenshot from a friend

Screenshot of actual WhatsApp conversation from my friend

My friend sent me a screenshot of their Google search result for an instituion in Jamaica. The first result was the website she searched for and below the website's name it read “This site may be hacked“. She sent me a message on WhatsApp containing a picture of her search result and here’s the brief dialogue:

  1. Her: Is that important?
  2. Me: Yes it means what it says
  3. Her: So if I use my card on the site, it will be compromised?
  4. Me: No but it means you can’t trust it right now. You can call them and report the issue but I would not recommend you use your card on their site.

**end of conversation**

Screenshot of a Google search result

TL;DR – The institutions's website may have been compromised since May 2017, almost 10 months ago, and it hasn’t been corrected since, based on public evidence from Google and other internet sources. This article is about my findings. The passive investigation into Google’s notice

I was curious so I decided to ask the internet for more clues as to whether this may be true. In Cybersecurity our initial investigation of a suspicious incident or breach is often called Security Incident Response and the person assigned to investigate those things is referred to as the Incident Responder, among other fancy terms.

Red flags, red flags!

The result obtained from Sucuri’s Site Check on th institution's domain

I googled for a few websites that claim they can check the reputation of web domains against several security databases. I came across a website sitecheck.sucuri.net by a company called Sucuri. Sucuri is popular for their website security services, especially for WordPress. I’m familiar with their services so I used them. I entered th institution's domain and unsurprisingly, it said their domain (***.org) has been Blacklisted. Basically, marked as malicious, bad or unsafe for visiting.

When I selected the Blacklist tab, it showed the match was from ESET. ESET is an IT security company that offers anti-virus and firewall products such as ESET NOD32.

The result when I clicked the Blacklist tab

I was still a little sceptical

Okay, ESET has blacklisted the institution's domain as malicious but I still wanted another opinion, just in case Sucuri was flagging the domain to push sales of their website security services.

I used another popular Website Reputation Checker at urlvoid.com which also flagged th institution's domain and said its source for flagging the domain was scumware.org. Scumware.org aggregates a database of reportedly malicious domains and files.

The result from Scumware.org showing a file match on the institution's domain for a known malicious file

From the result on scumware.org, it reports that a .PHP file located at ***.org/faq/profile.php matches the signature of a known Trojan, based on an MD5 hash of the file).

How do these free websites know malicious files?

Behind the scenes, a lot of these Website Reputation Checkers identify malicious files without also “hacking” because they check databases of known malicious files (and file hashes) reported across the internet against those files publicly provided by websites when you browse like a normal person. They do not attempt to attack or scan for private vulnerabilities, as far as they claim.

In this investigation, the malicious file was a .PHP file. PHP files are executed server-side when requested (on the web server hosting the website) instead of in your browser (client-side) so you would not typically see the contents in your browser, just a blank page. Unlike other popular files such as Text (.txt), HTML (), and CSS (.css), which would be displayed in your browser.

Be careful everywhere online

My recommendation to her goes for you too “No but it means you can’t trust it right now, …I would not recommend you use your card on their site”. That’s for any site with that flagged note (…may be hacked) until the note no longer exists. Removing the note from a Google search requires an administrator of the domain/website to do a couple things.

Disclaimer: You should know that some of those scans can produce false positives, and what I’ve illustrated here is just the tip of work that could be done to confirm whether a domain was compromised.

4 Tips to take from my friend:

  1. She was attentive when browsing
  2. She did not ignore her suspicion when she saw the abnormality below the domain.
  3. She contacted someone for advice who was more technical than her
  4. She thought about the consequences of still using her credit card.

How web admins could remove that bad note from Google’s search results

Google’s recommended procedure to remove the message from a domain

Well, according to Google, the webmaster (the website’s tech person) should:

  1. Register and verify the site in Google’s Search Console.
  2. Sign into Search Console and check which URLs were flagged.
  3. Fix the issue on the website that triggered the detection by Google. Ultimately, clean up your potentially hacked website.
  4. Read Google’s web page about “resources for hacked sites”
  5. From inside Google’s Search Console, request a review of the website by Google after you’ve cleaned/fixed what triggered the alert of being hacked.

Some reasons why Google and other malware scanners may flag your site as being hacked

The main reason that comes to mind is if a file on your website matches that of a malicious file reported online, which could happen if:

  • An attacker may have compromised a site and uploaded malicious file(s) which has/have been detected elsewhere on the web.
  • An administrator mistakenly uploads a known malicious file from the back-end into an indexed location on the website. E.g. uploading some of the following: a nulled(pirated) website theme, software key generators (aka keygens), unverified scripts, and known trojans.
  • A user unknowingly pastes a malicious link through the front-end of a website or uploads a shady file that gets shown on the website’s user interface and then Search Engines, such as Google, index the location.

A career awaits in Digital Forensics and Incidents Response (DFIR

If Incident Response and Computer Forensics is something you may be interested in, then you could check out these certifications and start expanding your skills.

References:

Note: The flag from Google was reported to the affected business by an employee who read the article.

Was this a good read?

If you found this article helpful, please share it. You can follow me on LinkedIn, Instagram, and Twitter (@HackingGavin) where I continuously try to share interesting stuff.

Gavin Dennis

Gavin Dennis is a Cyber Security Consultant and aspiring CISO. He helps companies and people around the world to protect their digital assets and has worked with companies in Europe, Africa, and the Caribbean. He is experienced in Penetration Testing (Network and Web), Social Engineering, Vulnerability Assessments, IT Security Risk and Compliance, and IT Security Incident Response. Additionally, Gavin is a CompTIA SME and separately produces educational Cyber Security content through his articles, websites, and speaking engagements.

Good Reads