The number of sites hacked last year increased by nearly one third compared to 2015, Google said in a new report, a trend that the company expects will continue in years to come.
Google’s crawlers constantly check sites for a number of different properties, including the presence of certain types of content that indicate they’ve been hacked. Those content types can include pages filled with nonsense and littered with keywords or image or affiliate links. Hackers implement these attacks in an effort to generate revenue through ad fraud and other schemes.
In a new report on the safety of sites in 2016, Google officials said the volume of these attacks is increasing at a high rate, with no indications of slowing down anytime soon.
“We’ve seen an increase in the number of hacked sites by approximately 32% in 2016 compared to 2015. We don’t expect this trend to slow down. As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites,” Google said.
When Google’s crawlers identify a site that’s been compromised, the company will send an email to the site owner with information about the hack and how to recover from it. The company also will mark the site as hacked in search results until it is cleaned up, at which point the site owner can apply for reconsideration. Google officials said 84 percent of owners who apply are successful. But more than half of hacked sites don’t have their sites registered with Google through its Search Console, so the site owners don’t ever get notified of the compromise.
One of the things attackers do often after compromising a site is to generate a number of new pages on the site with hidden keywords as a way to try and game Google’s search algorithm.
“The cloaked keywords and link hack automatically creates many pages with non-sensical sentence, links, and images. These pages sometimes contain basic template elements from the original site, so at first glance, the pages might look like normal parts of the target site until you read the content. In this type of attack, hackers usually use cloaking techniques to hide the malicious content and make the injected page appear as part of the original site or a 404 error page,” Google said.
Attackers compromise sites through a number of different avenues, but the most common one is by exploiting vulnerabilities in the content-management system of a target site. Web sites that run a common CMS such as WordPress are frequent targets for attackers, especially when new vulnerabilities are published. There are a number of tools available for attackers to automate this kind of attack, too, so site owners who don’t stay up to date on CMS patches can find their sites compromised early and often.
Image: Shawn Carpenter, CC By-sa license.