How Hackers Are Hijacking Your Websites Search Engine Results

Hacking

Many of you will be aware of hacking to some degree or another.  It is (usually) where an unidentified individual gains access to a resource that they are not authorised to access – so in terms of website, someone else logging into your websites accounts (control panel, ftp, e-mail etc) without your permission.  Traditionally, it has been very easy to detect your website being hacked – the hacker in the past has usually defaced your website quite publicly – usually with links to malware, spam, placing advertising on your website or other undesirable material.

Website Hacked

However, as with most things in computing, hackers are evolving strategies – and some of these, while still remaining detectable, are significantly harder to detect than the typical ‘defacing’ hack.

The issue that we are going to look at in this article is the hijacking of your websites search engine results.  For the technical people out there, we are discussing hacking of the .htaccess file.  Don’t worry if you don’t know what that means, we’re going to go through it carefully step by step.

Now for those of your that run your own website, whether it is personal or business, think about how you would normally access that website?  Chance are, more often than not, you type the website address directly into your browsers address bar, such as:

DPS Computing Limited - www.dpscomputing.com - Address Bar

Hijacking your websites search engine results takes advantage of this.  When your search engine results are hijacked there is no visible indication of the hack unless you go through a search engine.  If you type the address directly into the address bar (as in the picture above) everything works as normal.  Hackers are using this to their advantage to escape detection.

So what’s the problem if there’s no visible signs of the hack?  Well, there are visible signs, but only when you go through a search engine!  The thing to consider is everyone else who is looking for your website or a website with content similar to yours is 99.9% likely to use a search engine to find it.  And with this search engine results hijack (.htaccess hijack) any user clicking from a search engine results page to your website will be redirected to another site, usually undesirable and usually hosting malware or other similar unpopular things!  One things for sure, although they appear to have come to your website (as far as they are concerned through the search listings) they have actually come to your site, ‘hit’ your page and then been redirected to the hackers website (or a website of their choice) by inserting content into or creating a .htaccess file in your websites home directory.

So, why do they do this?

Well there can be many reasons.

Firstly it can be to gain a good ranking with search engines.  If a hacker started a new site it would start off like every other website (usually) does, at the bottom of the pile.  What’s a way of increasing your ranking?  Quality back links.  Google (and other search engines) will see your ‘redirect’ from your own site to the attackers website as a sort of endorsement.  If the hacker does this to hundreds of websites, maybe even thousands or more, the hacker is starting to get a popular website.

Secondly, it can be to make money.  The hackers website is likely to be full of advertisements – and due to the traffic from all the compromised websites – its likely to be making a fair wad of cash.

Thirdly, it can be to spread malware.  It’s very effective to have legitimate websites (probably with a good reputation and history) redirect to attackers website to infect the visitors computers with malware/adware/spyware or whatever they feel like.

Fourthly, sometimes it can be to highlight a cause.  Although less likely, sometimes hackers do this to redirect to a website protesting about a government action, law enforcement case or a war.

So, why should you be bothered?

Well, there’s also many reasons for this as well.

Firstly, you’re losing visitors (and / or customers).  All of the search engine traffic that should be going to your website isn’t.  It’s going to the attackers website.

Secondly, your likely to be losing your reputation.  From a users point of view they click on a link from a search engine to your website and then get ads/malware/spyware etc displayed on their browser / on their computer.  Although this is actually come from the attackers website – most users aren’t going to distinguish this (its not obvious at all).  So you will be associated with the hackers website bad reputation and their action will be attributed to you.

Thirdly, your websites rankings and ‘online reputation’.  Google (and other search engines) regularly check out websites to see if their legitimate and whether they contain any ‘nasties’ such as malware, agressive advertising etc.  By redirecting your website to their website, for reputation purposes you basically get ‘merged’ with the hackers website.  So as far as search engines are concerned, if the hackers website is hosting malware (for example), you are hosting malware.  Why does it matter what the search engines think?  Well, because that’s how most people find you and they decide your ranking.  Websites containing (or redirecting) to bad things such as malware will get penalised in search engine rankings, if not removed altogether from them.  Ever seen the ‘This site may harm your computer’ tag in Google?  Your website, if hacked in this way, could end up with that tag or worse!  There are other websites (as well as security software) which watch out for these kinds of things and to warn users about ‘potentially unsafe websites’.  One of the most popular is Norton SafeWeb.  All any Internet user has to do is type in a web address and it gets a quick report about how safe or unsafe, good or bad a website is.  As mentioned earlier in this paragraph, once the .htaccess hijack has taken place, for the purposes of online reputation and website rankings your website and the hackers website become the same website!

So, how do they do this?

Well, they have to gain access to your website account(s) somehow.  Usually they exploit a weakness in some software running on the website to ‘bypass’ security and authentication measure or they crack the password to your account – which if they are successful, usually means that the password used was insecure or not strong enough.

No matter how they do it, what they then do (for this hack) follows the same path.

If you’ve already got a .htaccess file, they ‘append’ some more commands to it.  If not, they create one and add the commands to it.  .htaccess files can ‘live’ in any folder on a website and most websites usually have one in the main folder on the website (usually something like ‘public_html’, ‘www’ or ‘htdocs’) – this is the one that they target.

And, what do they do?

Well, as mentioned in the previous section, they add more code to your .htaccess file – something very similar to this:

.htaccess Hijack Hack

Don’t worry if this means nothing to you!!  The web developers reading will immediately have alarm bells ringing in their heads now!

Basically what this code does is redirect any user coming to your website from a number of search engines (Google, Ask, Yahoo, Excite, AltaVista, MSN, Netscape, AOL, HotBot, Goto, InfoSeek, Mamma, AllTheWeb, Lycos, Search, Metacrawler, Bing and Dogpile – to be specific!) to another website – in this case ‘ahmetekremkaya.com’.  In addition, any time a user encounters a website error (400,401,403,404 or 500 status code – basically all the ones your visitors are likely to encounter) it redirects them to the attackers website.

And how do I fix it?

Simply, remove the code added to .htaccess that the hacker has inserted.  You can do this quickly by deleting or (preferably) renaming the file – to anything really, but something along the lines of ‘.htaccess-removed’ or ‘.htacess-infected’ can be used.  Don’t worry – after you have changed the name of the file, the code can no longer harm your website and everything will go back to normal.

If you had legitimate code in the .htaccess file you can reinstate this in a new .htaccess file.

Obviously, some people reading this may be non-technical users – if this is the case, you can always find a reputable company to come in and remove the infection and hijack completely from your website.

DPS Computing Limited can do this for you – feel free to take a look at our website maintenance packages.  If we find that the hack / hijack isn’t very extensive, we may be able to offer you a discounted price – feel free to contact us for a FREE diagnosis and a value for money, no obligation quote.

Conclusion

The result is, as described above, any of your results in search engines suddenly become their results.  You lose traffic, visitors and in the case of businesses, customers.  You also lose the reputation and credibility that you have likely spent a long time building up.

Usually, if you see another website (that you don’t recognise) in any .htaccess file on your website, you’ve likely suffered from this type of hack, a .htaccess hijack.  As .htaccess files are ‘dot’ files (and therefore hidden automatically in different applications / control panels by default) this can also make it harder to even find the file that has been hijacked – let alone repair it.

The DJ David website was previously hacked in this way, as you can see below (don’t worry – it was all fixed a while ago!):

DJ David - .htaccess Hijack

This is from the Google search engine results page searching for ‘DJ David’ in early 2011 (when the hack occurred).  As you can see, the DJ David website is displayed in the search engine results.  However, when you hover over the link (to get a preview of what you are going to visit) you can see it relates to ‘ahmetekremkaya.com’ – obviously not the correct website.  Although the website ‘ahmetekremkaya.com’ looks quite tame in this photo, this was after it was taken down.  Originally the site will have usually been infected with malware and displaying lots and lots of ads and also engage in other not-so-nice activity.  You can also see in the picture above that the link that the preview relates to is shown as ‘djdavid.co.uk/news.htm’.  However, from the preview you can clearly see this is not the page we are going to be taken to.  This is your classic sign that your website has suffered a .htaccess hijack.

If you think you could have suffered this type of hack, or any other security breach, don’t forget you can contact us for a no obligation quote and FREE diagnosis of the problem.

After this type of hack has occurred it is vital that you change all of your accounts passwords (to strong passwords!) and ensure that adequate security measure are in place!  Another important thing to do is regularly search for yourself (your website) in the search engines.  No this isn’t vain and is no way the same as looking at yourself and admiring yourself in the mirror! ;).  It’s not only important as it can detect this sometimes difficult-to-detect hack but also to see how you are doing in search rankings – which terms you are ranking for and how highly you are ranking.  Is your entire website being indexed?  If not, why?  So, searching for your own website in the search engines kills two birds with one stone! :).

‘cipher’ hack image author: Salim

You may also like...

%d bloggers like this: