This site may be hacked | White Fir Design Blog

Sitelinks in Google’s Search Results Missing “This site may be hacked.” Warnings

Last week we discussed a US government contractor that offers several security services, including “Cyber Security” a service, while having hacked website, which we had run across after they were in the news for their involvement with questionable practices at US Housing and Urban Development (HUD) department. That incongruity between offering security services and not being able to secure their own website, makes it seem not all that surprising to us that in follow up reporting on the situation with the HUD department it was reported that the company was possibly engaged in fraudulent billing as well.

There is another thing we noticed in relation to the hack, though, which is that Google is currently incompletely warning that they are aware that websites are hacked.

In our previous post we mentioned that, for example, when you visited the website’s Careers page you would be redirected to a casino website. When showing up in Google’s search results that page is flagged with the message “This site may be hacked.”:

But when that same page is shown as a sitelink there is no warning:

Being a sitelink versus as standalone result should have no impact on whether this type of issue is occurring (and that is the case with this website), so Google should warn there as well.

Google Search Console Claiming That Fixed Security Issues Are Still Being Detected Days Later

Google’s flagging that websites are hacked (“This site may be hacked.”) is a good thing and from what we have seen their claims are highly accurate. A reoccurring problem we found in cleaning up hacked websites, though, is that after the websites have been cleaned is that Google will claim in the Security Issues section of their Search Console that the issue has been detected days after it has been resolved.

As an example of that we had someone whose websites we cleaned up on March 1, but as of March 4th, Google was claiming that the issue was detected the day before:

Using the Fetch as Google tool in the Search Console showed that the URL they claimed the issue had been detected on didn’t exist (since the code that generated it was no longer on the website):

No change had been made to the website on either of those days, so the result would have been the same the day before.

By later on March 4 that claim had disappeared despite a continued lack of change of anything on the website:

Since we deal with hacked websites all the time we are aware of this issue, but for clients or others who might be trying to deal with a situation on their own it is easy to think that this could cause unnecessary distress and wasted time spent trying to deal with an issue that has already been dealt with.

Hopefully Google will work on correcting this.

Google Needs to Improve the Review Process for Websites Labeled “This site may be hacked”

Early last year Google changed some of the underlying technology used in their process of of handling websites they suspect of being hacked (which leads to a “This site may be hacked” message being added to listings for the websites on Google’s search results). More than a year later we are still finding that the review process for getting the”This site may be hacked” message removed after cleaning up such a website is in poor shape and likely lead leading to a lot of confusion for people trying to navigate it if they don’t deal with it’s problems on regular basis (like we do). While we think that what Google is doing by warning about these situations is a good thing, the current state of the review process is not acceptable.

To give you an idea of what are people are dealing with lets take a look at what we just dealt with while getting Google to clear a website we had cleaned up.

Once you have cleaned a website with the “This site may be hacked” message, you need to add the website to Google’s Search Console and then you can request a review in the Security Issues section of that. That section will also give you information on what Google detected:

security-issues-page-1

In this case Google detected that spam pages were being added to the website, which they refer to as an URL injection.

Before requesting a review last Monday, we doubled checked that the spam pages no longer existed using the Fetch as Google tool in the Search Console, which allows you to see that what is served when a page is requested by Google. The URL they listed on the Security Issues page was “Not found” when we used the tool, indicating that the spam page was no longer being served to Google.

On Tuesday a message was left in Google’s Search Console for the non-www version of the website’s domain indicating that hacked content had been detected:

seach-console-message-non-www

Considering that Google was already listing the website as having a security issue for several days you might think this was a new detection, but it wasn’t. In the security issues section it still listed the old last detected date:

security-issues-page-2

Using the Fetch as Google tool in the Search Console we requested the URL again and it was still “Not found”:

Then on Wednesday the same message was left for the www version of the domain:

seach-console-message-www

Again the last detected date in the Security Issues section hadn’t been changed and the using the Fetch as Google too the URL was still “Not found”:

Then on Saturday the Security Issues page indicated that URL injection had been detected as of that day:

security-issues-page-3

We again used the Fetch as Google tool and it was still “Not found”:

At this point we also checked the website over to make sure the malicious code hadn’t returned and it hadn’t.

Then this morning the warning was gone from the search results and the Security Issues page was clear:

security-issues-page-4

Considering that nothing changed between Saturday and today, that detection on Saturday would seem to be some kind of a mistake. Seeing at the page wasn’t even being found this doesn’t seem like an understandable false positive, but something seriously wrong with their system. If you weren’t aware of that how problematic the process is, you might have been very concerned upon seeing the new false detection.

The fact that it took them a week to finally clear the website also doesn’t seem to be an acceptable in this case.