Google recently noted that it had seen a 32% rise in hacked website. Here are the most common tactics it found.
In 2016, the number of hacked websites rose by 32%, according to a recent blog post from Google. And, unfortunately, the search giant said it believes that number will continue to rise as hackers become more sophisticated.
While 84% of webmasters who "apply for reconsideration" were able to clean up their sites, the post said, 61% were never alerted by Google that they had been hacked. The primary reason for this disconnect for more than half of hacked webmasters is that their sites weren't verified in Google's Search Console, which the company uses to communicate information about websites.
In the post, Google outlined some of the common hacks that are affecting websites today, such as the Gibberish Hack, the Japanese Keywords Hack, and the Cloaked Keywords Hack. Citing the old adage "a chain is only as strong as its weakest link," Google said that prevention is key in keeping these hacks at bay.
SEE: Security awareness and training policy template (Tech Pro Research)
To improve prevention, it is important to know how these attacks are being carried out. In a separate post, Google outlined the following six ways that websites get hacked by spammers:
1. Compromised passwords
Whether an attacker is using guessing techniques to obtain a password, or simply trying out common variations of passwords, compromised account credentials are a serious issue. It's important to create a strong password, not use the same password across multiple web properties, and use additional security tools like two-factor authentication, the post said.
2. Missing security updates
Old software that hasn't been updated may be missing an essential patch to account for a serious vulnerability, the post said. Make sure your web server software, CMS, plugins, and other essential software are all set to update automatically. If that isn't an option, set up a cadence by which you'll manually check for updates.
3. Insecure themes and plugins
In addition to making sure your plugins and themes are patched, be sure to "remove themes or plugins that are no longer maintained by their developers," the post said. Also, be careful when using free plugins, or ones that may only be available through an unfamiliar website.
"It's a common tactic for attackers to add malicious code to free versions of paid plugins or themes," the post said. "When removing a plugin, make sure to remove all its files from your server rather than simply disabling it."
4. Social engineering
Social engineering attacks, like phishing, try to trick the user into thinking they are providing needed information to an actual webmaster or account manager, for example. Check to make sure the email address matches perfectly to a person you know, and never give out personal information to someone you aren't familiar with.
5. Security policy holes
Bad security policies, such as allowing users to create weak passwords, giving admin access too freely, and not enabling HTTPS on your site can have negative consequences, the post said. To better protect your site, Google recommends making sure you have the highest security controls configured, that user access and privileges are properly managed, that logs are checked, and that encryption is used.
6. Data leaks
When data is mishandled, or improperly uploaded, it can become available as part of a leak. One method, "dorking," can utilize common search engines to find the compromised data. Make sure only trusted employees have access to the data they need, and use URL removal tools to make sure that sensitive URLs don't display in Google search reults, the post said.
- Amid security concerns, Google's Allo virtual assistant is still worth a look (TechRepublic)
- Google: Hacked sites rose by a third in 2016 (ZDNet)
- How to set up two-factor authentication for your Google account (TechRepublic)
- Google Safe Browsing beats rivals but still only flags up 10 percent of hacked sites (ZDNet)
- Google makes Gmail safer with new security warnings to fight phishing (TechRepublic)