Google is Hosting and Handling Advertising for Website that is Publishing Purported Leaked Credit Card Info

A month ago we noted that Google’s AdSense program was handling the advertising for a number of websites serving “nulled” web software, which is paid web software being distributed illegal, with at least one of those serving up malicious code with the “nulled” web software. We reported a number of the websites to Google as they are violating policies of the AdSense program, but they are still running ads served by Google.

Part of how we became aware of that was that advertising we were running through Google’s AdWords program was being shown on some of those websites. Today we noticed that our advertising has recently been running on an even more troubling website, leakeddata.me.

The title of the website is “Leaked Data | Exploited and Leaked Information | (UPDATED Daily)” and the subtitle is “| Hack Credit Card | Visa | MasterCard | SSN | Amazon | Email Address | MYSQL Database | IP Address | ( HACKED | LEAKED | EXPLOITED )”. The homepage of the website currently shows the details of seven purported leaked credit cards, with the data shown including the credit card number, CVV number, name of credit card holder, and their address.

The top of the homepage of the website has multiple blocks of Google served advertising (bordered in blue):

When we went to see where the website was being hosted we were surprised to find it was Google. The IP address the website is hosted from is 216.239.36.21, for which the host name is any-in-2415.1e100.net. As Google explains “1e100.net is a Google-owned domain name used to identify the servers in our network.”. At that point we noticed that the website is being hosted through Google’s Blogger service.

It would seem that neither the Blogger nor AdSense service do any sort of proactive monitoring looking for credit card info being show on pages using the services, which seems to be something they could be doing.

It looks like the website has been showing leaked info since December of 2014.

We wanted to report this to the Blogger service, but they don’t have an option if you want to report someone else’s private information is being posted, only your own.

Google Sending Out False Alerts That Websites Are Running Outdated WordPress Versions

Back in 2009 Google started notifying webmasters through their Webmasters Tools (later renamed Google Search Console) that they were running outdated software in some instances. That is good idea, but it clearly needs some work as of 2017, seeing as last night we got the following email:

Recommended WordPress update available for http://www.whitefirdesign.com/

To: Webmaster of http://www.whitefirdesign.com/,

Google has detected that your site is currently running WordPress 4.7.0 or 4.7.1, an older version of WordPress. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible.

Following are one or more example URLs where we found pages that have outdated software. The list is not exhaustive.

https://www.whitefirdesign.com/blog/2011/03/02/hiding-the-wordpress-version-number-will-not-make-your-website-more-secure/

https://www.whitefirdesign.com/blog/category/outdated-server-software/

https://www.whitefirdesign.com/blog/category/sucuri-security/

Recommended Actions:

1 Update to the latest release of WordPress

Visit the WordPress site for instructions on how to download and install the latest release.

2 Check your site for hacked content

Because there was a vulnerability on your site, it’s possible that your site might have been compromised. We recommend you check your site for any suspicious activity. You can see if Google has detected any hacked content on your site in the Security Issues section of Search Console.

3 Stay up to date on new releases

Remember that older or unpatched software might be vulnerable to hacking or malware, so it’s important to install new software releases when they come out.

Need more help?

Read more about outdated software and vulnerabilities in our Help Center.
Check your site for hacked content using the Hacked Sites Troubleshooter.
If your site was compromised, read our guide for hacked sites.
Ask questions in our forum for more help – mention message type [WNC-641200].

Because this blog, like hopefully almost all WordPress installations, hasn’t had the automatic background updates feature disabled, it already was updated. In fact the update to 4.7.2 happened as of midday on January 26, the day the update was released. That was 11 days before the email was sent out. Seeing as we haven’t removed the meta generator tag from the blog, the version is included on every page’s source like this:

<meta name="generator" content="WordPress 4.7.2" />

Our guess would be that they are still processing pages crawled from before the update happened, which include the previous version number, and they are basing the claim of outdated software on that, which is obviously problematic.

It also worth noting that they are failing to capitalize the “p” in WordPress, instead referring to it as “WordPress”.

Google Moving in The Wrong Direction When It Comes to Information Provided on Hacked Websites

We clean up a lot of hacked websites, which means we often are dealing with website that flagged as serving malware by Google. In Google’s Search Console you can get whatever details they are providing on the issue they detected and request a review to have their warning removed after the website has been cleaned up. We often find that all they provide with is sample URLs where they have found the issue, but no details of the issue due to them being unable to isolate the malicious code being served. For us that usually isn’t a problem, but for those less experienced providing more information on what they are detecting in more cases would likely to improve cleanups. But now it seems things are going further in the wrong direction, as this week we dealt with a website where Google provided no details whatsoever on Security Issues page of the Search Console:

google-search-console-security-issues-no-sample-urls

They also left a message where they did list a URL, so it seems the various pieces of their system are not working well together:

google-search-console-malware-detected-message

Hopefully Google will improve this, as in this case (and probably in plenty of others), the website only got properly cleaned up after Google started flagging it, so what they are doing is important, but could be better.

Google Needs to Improve the Review Process for Websites Labeled “This site may be hacked”

Early last year Google changed some of the underlying technology used in their process of of handling websites they suspect of being hacked (which leads to a “This site may be hacked” message being added to listings for the websites on Google’s search results). More than a year later we are still finding that the review process for getting the”This site may be hacked” message removed after cleaning up such a website is in poor shape and likely lead leading to a lot of confusion for people trying to navigate it if they don’t deal with it’s problems on regular basis (like we do). While we think that what Google is doing by warning about these situations is a good thing, the current state of the review process is not acceptable.

To give you an idea of what are people are dealing with lets take a look at what we just dealt with while getting Google to clear a website we had cleaned up.

Once you have cleaned a website with the “This site may be hacked” message, you need to add the website to Google’s Search Console and then you can request a review in the Security Issues section of that. That section will also give you information on what Google detected:

security-issues-page-1

 

In this case Google detected that spam pages were being added to the website, which they refer to as an URL injection.

Before requesting a review last Monday, we doubled checked that the spam pages no longer existed using the Fetch as Google tool in the Search Console, which allows you to see that what is served when a page is requested by Google. The URL they listed on the Security Issues page was “Not found” when we used the tool, indicating that the spam page was no longer being served to Google.

On Tuesday a message was left in Google’s Search Console for the non-www version of the website’s domain indicating that hacked content had been detected:

seach-console-message-non-www

Considering that Google was already listing the website as having a security issue for several days you might think this was a new detection, but it wasn’t. In the security issues section it still listed the old last detected date:

security-issues-page-2

Using the Fetch as Google tool in the Search Console we requested the URL again and it was still “Not found”:

fetch-as-google-4-19-2016

Then on Wednesday the same message was left for the www version of the domain:

seach-console-message-www

Again the last detected date in the Security Issues section hadn’t been changed and the using the Fetch as Google too the URL was still “Not found”:

fetch-as-google-4-20-2016

Then on Saturday the Security Issues page indicated that URL injection had been detected as of that day:

security-issues-page-3

We again used the Fetch as Google tool and it was still “Not found”:

fetch-as-google-4-23-2016

At this point we also checked the website over to make sure the malicious code hadn’t returned and it hadn’t.

Then this morning the warning was gone from the search results and the Security Issues page was clear:

security-issues-page-4

Considering that nothing changed between Saturday and today, that detection on Saturday would seem to be some kind of a mistake. Seeing at the page wasn’t even being found this doesn’t seem like an understandable false positive, but something seriously wrong with their system. If you weren’t aware of that how problematic the process is, you might have been very concerned upon seeing the new false detection.

The fact that it took them a week to finally clear the website also doesn’t seem to be an acceptable in this case.

 

Google’s Bad Answers

Recently we wrote a post on how Google was placing bad instruction for upgrading Zen Cart directly in the search results. We have run across another example of where Google isn’t providing a good answer. If you do a search for “Magento PHP 5.5” currently you get the following answer above the normal search results:

This link says that Magento is compatible with PHP 5.2.13 - 5.3.24, but when you run the PHP script to check server requirements, it says that is okay to run on 5.4 and even 5.5. But I've seen some issues with 5.4 over the internet.Aug 23, 2013

Unlike the Zen Cart upgrade example, the information isn’t wrong, it just out of date. If you following the link referenced in that answer you are taken to the Magento System Requirements page which now lists the latest version of Magento, 1.9.1, as being compatible PHP 5.4 and 5.5 (as we mentioned in a previous post, as of Magento 1.9.1 the bare minimum it will allow being run on is 5.3.0).

The Magento System Requirements page was the first result when we did the search:

magento-php-5-5-google-first-result

So excluding a direct answer would have produced a better result in this case (by comparison the page Google took their answer from was ranked 7th).

Google Adds “This site may be compromised.” Warnings To Search Results

In the last several weeks Google has begun to show “This site may be compromised.” warnings, for websites they “believe may have been hacked or otherwise compromised”, in their search results. According to Google’s article about of the warning they have been added “To protect the safety of our users” and they recommend users “should be careful about providing personal information to the site” being flagged.

In the past when Google has detected websites they believe to be hacked and violate their Webmaster Guidelines, they have removed the websites from their index and placed a “Notice of Suspected Hacking” message in their Webmaster Tools to let the webmaster know. It’s unclear at this point if Google has replaced doing that with the new warning or if the warning is only for websites that have been hacked in such a way that does not warrant being removed for their search index. Unlike the malware warning (“This site may harm your computer.”) Google places in their search results, which sends users to an interstitial page when they click search result for an affected website, users are still able to directly access the website.

For websites which display the warning, after the hack has been removed reconsideration needs to be requested from Google to have the warning message removed. According to a post by Google employee John Mueller “These requests are processed fairly quickly (usually within a day, though it’s not possible to give an exact timeframe). “

Google Sites Hosts Files Used In Attempted Hackings

Since June, Google has provided hosting for files used in attempted hackings of websites through an account with their Google Sites services. A listing of all the files hosted is available at http://sites.google.com/site/nurhayatisatu/system/app/pages/recentChanges?offset=25. Some of those files are used in remote files inclusion (RFI) attacks which seek exploit vulnerabilities in software that allow remotely hosted files to be be executed. If the attacks are successful modifications are made to website that place spam or malware on the website, or allows the hacker remote access to the website. Attempting hackings utilizing these files have occurred at least as recently as three days ago. We have reported this to Google using the “Report Abuse” link multiple times but the files have continued to remain up.

Google Increases Search Query Data in Webmaster Tools

Google has significantly increased the amount and depth of the data they provide for in the Top Search Queries feature in their Webmaster Tools. The data was previously limited to the top 100 queries, it now displays a much larger sampling of queries.  The data previously only provided the percentage of impressions and clicks that each query had. The data now includes the number of impressions and clicks broken down by the position of the query in the search results. The data shown can now be restricted to specified periods of time instead of set intervals set by Google. Finally, they have also added a chart that displays impressions and click for the currently active data set.

Google Begins Factoring Site Speed into Rankings

Google today announced that several weeks ago they began factor the speed that a website responds to web requests into search rankings. Site speed is not currently a significant factor with “fewer than 1% of search queries are affected by the site speed signal” according to Google. Site speed is also only currently factored in searches preformed on Google.com in English. Google did not say exactly how they determine page speed, only saying that they use a “variety of sources to determine the speed of a site relative to other sites.”