The Youtube lessons to learn how to optimally use the webmaster tools of the Google Search Console now lead us to address today a very delicate issue, the one about security. The episode focuses on the use of the Security Issues Report, which informs and alerts on dangerous and malevolent behavior on our sites.
Given the topic, the usual host of the Search Console Training series, the Google Search Advocate Daniel Waisberg, is flanked by a colleague of the Trust & Safety Policy division, Aurora Morales: the two googlers guide us to discover how to receive warnings about harmful reports on our site and the actions to take for these security problems.
What is the Security issues Report
The Google Search Console Security Issues Report is a tool able to launch an alert whenever Google finds out that your site has been hacked or shows a potentially harmful behavior for visitors or their devices.
Examples of impairment
These malicious behaviors include phishing attacks or the installation of malware or unwanted software on devices that users use for their connections. Morales focuses on the various types of security problems, explaining which are the three main types:
- Hacked content.
These are content placed within the site without our permission due to security vulnerabilities. For instance, a hacker could inject malicious code into pages to redirect our users to another site or to automatically create pages on the site with meaningless sentences stuffed with keywords.
- Malware and software
It is the installation of a software designed to harm a device or its users, responsible for deceptive, unexpected practices, adversely affecting the user.
- Social engineering.
This includes contents generated by cybercriminals who mislead visitors into doing something dangerous, such as revealing confidential information or a downloading malicious software.
The list of security issues for sites
It is Aurora Morales who explains in detail which are the different types of violations and hacks and the reasons why hackers try to take control of a site. First of all, she dwells on pointing out that many of these problems occur due to the use of an outdated software or a bad management of access credentials to the site resources, which leave “open doors” to malicious people.
Hackers typically search for technical signals to find out and assess whether a website is well protected or not, and when they notice that a site runs an outdated version of a software they may take advantage of it to exploit an unknown vulnerability.
- Injection attacks
The most frequent problem is the so-called injection, which occurs when a hacker succeeds – through a theft of credentials, outdated and vulnerable software running, plug-ins or unreliable third-party widgets, unsafe directories on the server, or ineffective security systems – to have unauthorized access to the CMS or hosting service of a website.
The attackers thus have the possibility to remove, modify or create new pages on our site, steal users data, exploit the reputation of the site for their own commercial purposes, insert into the pages a code that performs unscheduled operations or make sure that the webserver participates in a denial-of-service attack against other sites.
There are three attack modes, a.k.a injection of Urls, contents and code: all, recalls the Googler, end up compromising and damaging the user experience and trust towards the site and, in the long run, in ruining the brand’s reputation.
- The injection of Urls occurs when a hacker creates new pages on the site, which typically contain words or spam links that can redirect users to other sites.
- The injection of contents occurs when a hacker adds links or a text containing spam to the pages of the site, such as keyword not related to the contents of the site or meaningless text.
- The injection of code is realized if a hacker enters the site and modifies the code to change his behavior. For example, you can set up sending spam emails, or enter redirects to a malicious site or running cryptomining software on your browser while the page is open.
- Social engineering attacks
The second group of problems falls within the sphere of social engineering, whose deceptive techniques encourage users to perform dangerous online actions, such as revealing sensitive information or downloading malicious softwares. Phishing is also an example of such practices.
The Google Safe Browsing system tries to protect users by warning them in advance if they are about to click on a suspicious site or if they are about to download malicious files; when the system detects that a website has misleading contents, The Chrome browser might show a full-page image that blocks visitors’ browsing by alerting them to the risks they run in continuing with their clicks.
Other examples of social engineering attacks are:
- Misleading contents, if the site has pages that pretend to be reliable entities misleading visitors into doing something dangerous, such as revealing passwords or credit card numbers.
- Misleading ADS, when the site includes misleading advertisements or embedded resources that mislead visitors into thinking that they have outdated software and, therefore, to download other unwanted softwares or real malwares, proposing itself as a reliable source (and generally also obtaining the insertion of confidential data).
- Unusual or unwanted download problems
Sometimes, a site may offer users a download that Google Safe Browsing has never seen before; in such cases of unusual downloads, Chrome may identify the file as malware or unwanted software and report it accordingly to users. If, however, Google later discovers that the files are safe, it will automatically remove the report.
In case of unwanted downloads – those surely identified as malwares or unwanted softwares – instead, the removal of the warning notification only comes when we ourselves remove these downloads from the site.
- Billing with unclear mobile networks
In this case, Google notes that the site does not adequately inform users about charges for the use of mobile networks, and as a result Chrome may show a warning message before loading a page that involves charges.
Also common are cases of sites that are infected or that host malwares of a malicious hacker, in the form of a software, a mobile application or a script designed specifically to damage a computer, a mobile device, the running software itself or the users themselves who download them voluntarily or unconsciously.
What happens to compromised sites
Google has a system of reporting these problems to users: when a site has been compromised to manipulate search rankings, there can appear a label with the indication “This site may have been breached” which warns users directly in search results.
When a site has been hacked to harm users, instead, browsers that have enabled Google Safe Browsing technology may display interstitial alert pages or alerts when the user tries to visit them or when files are downloaded, for instance, so to alert visitors who are about to access harmful and dangerous websites.
Google Safe Browsing can also label risky search results in SERP, for example reporting that “this site can harm your computer”.
How to discover damaged pages
Google Search Console reports can help us find out if our site has been hit by hacker attacks, what pages have security issues, and how to fix them effectively.
In case of security issues on a site verified in the Search Console, the owner receives an email with a warning and a link so to get more information to solve the issue. So, Waisberg advises, it is important to “read your emails carefully and find out these alerts as soon as possible”, so to promptly perform fixing interventions and limit damages.
Use of the security issues report
If we missed the mail – or our daily activity to verify the health of the site – we can however find all the information on safety also in the dashboard of the Search Console, that already in the Overview screen reports with a banner in evidence at the top of the page the presence of security problems on the site.
By clicking on the message we will be directed to the Security Issues Report, where we will find the count of all the security issues present on our site. If there are no problems, a green tick and its correlated message will appear.
Of course, here are listed only the problems encountered by Google, which “does its best to control the most common security problems, but you should still keep your eyes open“, suggests Waisberg.
Tracing back a site’s safety history
The report also allows us to browse the Messages panel and choose the Security Issues category to see all the messages that have been sent to the website in the past regarding this theme. It is a very useful function to trace back the history of a site, especially in case of recent acquisition of an existing website or a work on commission of a new customer, because it allows us to discover the historical context of the project and whether it has “pending issue”.
How to fix security issues
The video also describes the recommended process to fix a security issue on the site and communicate it to Google.
- We expand the description of the problem in the Security Issues report and read the details contained in the “More Information” link, which contain detailed information and steps to solve the problem.
- We assess whether we feel we can intervene personally or if we need external support.
- We use the sample of interested pages provided in the details section to intervene on the issue.
The list provided by Google is not necessarily complete, but it is indeed a sample of pages on the site that are affected by the problem. Sometimes, we might find a security problem without example Urls: this does not mean that no page is affected, but that Google, for some reason, could not generate specific examples for that case.
- We solve the problem in all the pages of the site. Focusing on correcting only some pages does not guarantee the complete solution, so we must not exclude any page.
- If the report lists multiple security issues on the site, we need to correct them all.
- The second-to-last step is the test phase of corrections.
- Once we have fixed all the problems listed in the report on all pages and are sure of the result, we can select the Request Review button in the Security Issues report. The request for reconsideration to Google must contain the corrections introduced and, in order for it to be effective, must meet three criteria:
- explain precisely the problem of site quality;
- describe the procedure used to solve the problem;
- document the outcome of the countermeasures taken.
Note. To learn more about how Google handles manual penalties for web spam and how the process of reconsideration and review works, Waisberg invites you to retrieve the explanatory video by John Mueller, we also covered on our blog.
Generally speaking, reconsideration examinations last for a few days, but in some cases they may take up to a week or two. Google will email updates on the status of the request, from the date of sending (to confirm that the examination is ongoing) until the completion of the process.
We must therefore be patient and not send a new request without having first received the final decision for the one already active, and indeed this practice is not recommended for two reasons: it can stretch the response time for the next request and, above all, it can lead to a label of “repeat offender” by Google, which interprets as unresolved the reported security issues.
You might experience a particular case, when we go to investigate the pages of the site that Google has marked as ‘at risk of impairment’, that is to fail to see the head content in the Urls provided by the Search Console.
As Waisberg explains, this could be an example of cloaking, one of the most notorious violations of the Google instructions for webmasters (often used as black hat SEO tactics), which makes cleaning a website harder because it shows different content to users than those provided to search engines.
For example, a page on the site may have a head content that we cannot visualize on the user side, and this may make us superficially think that the Search Console sent a wrong message signaling the problem. In fact, a search engine like Google that accesses the same page might find hidden spammy text and harmful links, to be removed as soon as possible.