Over the last couple of weeks, we’ve written about malicious redirects pushing users to porn sites, ever more complicated phishing scams being carried out by multiple compromised websites on a single server and about adsense blackmail. We’ve written about how attackers hit these sites because that’s what we do. We figure out what they’re doing and clean it up or prevent it from happening.
However, today we want to explain how you’re affected by everyday website hacks (not just the big ones). Sure, there is always a website owner who is being harmed by targeted code injection or malware, but it’s not going to affect you, right? Except that it does. Most of the hacks we clean up are harming hundreds or thousands of website visitors just like you.
Who Are Hackers Harming?
In a very concise way, malicious hackers are attempting to harm you. When you read about those taking advantage of the Heartbleed bug, brute force attacks or a DDoS attack, the key thing to think is, “Why?” Why are they trying to get those passwords? Why are they trying to take a site down?
The problem we have with the reporting on this subject is not that it isn’t correct, but that it’s not complete. Most times, when you read a story about a hack, the reporter will connect the website attacks with potential revenue lost or headache for the company. For example, this headline about recent hacks in Los Angeles reads, “Hackers hit 73% of LA businesses.” The focus is on the businesses that may be harmed, but the truth is that the business is usually just a conduit for the hacker to reach you because if they can do that, then they can reap rewards. The truth is that these hacks are affecting visitors as much as they’re affecting websites. When Symantec puts out a post saying that antivirus software is dead, and their own AVs are stopping less than 50% of malicious attacks, they aren’t saying attacks aren’t happening. They’re saying they’re getting more complex.
These attacks start when you visit a compromised site.
Can We Do Anything?
When faced with a challenge that feels insurmountable, it can be tempting to throw up your hands and say, “there isn’t a solution, so why should I care?” However, that’s the wrong choice – because there is a solution. Consumers, like you and me, have to demand more from the websites we frequent.
There are simple ways for websites to proactively protect their content and your information, like employing a website firewall. No solution will ever be 100% secure, but when a website doesn’t have protection, the owners of the website are implicitly telling you that they don’t care about your information. By letting hackers harm their website or employ malicious tactics, websites are really letting them attack you. The best way to protect yourself is to visit clean websites. If your favorite sites aren’t protected, then make sure their webmaster understands how important website security is to you.
If that doesn’t work, then there is always one thing that will. Don’t go back to the site until it’s protected and make sure others know why you’re boycotting. Social media has made it easier than ever to give voice to problems and we guarantee that if enough visitors or customers vote with their pageviews and wallets, website owners will be quick to secure their site, and by extension, secure your online presence.
As a system administrator and managed hosting provider the amount of insecure sites out there is appalling. It’s really bad out there and IMHO getting worse.
In many cases administration is “set it and forget”, a head programer does the administration, or the administrators are overworked and understaffed.
In general I don’t think companies (and individuals for that matter) take security seriously and what it takes to keep servers and applications secure. Unfortunately it usually only becomes an issue after the fact.
When it comes down to it system administration is considered an expense and is treated as something that needs to be minimized as much as possible. What we are seeing is the affect of this generalized issue in the business community.
Until this thought process changes security will be always an after affect.
Thanks Larry. That’s certainly our point. Security breaches hurt all of us and they happen over and over everyday even though there are ways to make them less likely. Our mission is to change that thought process day by day so that people (and companies) don’t have to experience a security breach before they start to take it seriously.
Shouldnt we be demanding more from the hosts? They are the ones with the technology and means to detect and prevent these types of attacks from happening and locating infections. Even when you report attacks to a host, they do nothing, letting the infections and attacks spread further.
One of the main issues that we see is that customers generally do not understand hosting, so they simply purchase the cheapest one as they think they are the same. What they don’t see is that the cheap host they selected has no security on their servers and hasnt updated their servers in years.
We actually wrote a post about that idea last month as well: https://blog.sucuri.net/?s=work+with+my+host
However, in our view, the issue is lack of understanding about what each party (host, website owner and on down the line) is responsible for. For instance, many hosts who work very hard to provide clients a great experience are dealing with website owners who refuse to update their CMS. It’s certainly a complex issue, but it’s our job to demystify it.
@austinmarshburn:disqus I assume that you have found infections on hosts that you do not have access to which are being iframed or otherwise served from a server other than your clients. When you report it to them do they remove it, reply and take action?
We seem to get a reply from about 1% of hosts. If we actually emailed every host that an attempted attack came in from, we would need one member of staff whose job would just be emailing hosts.