I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up:
Why would anyone ever hack my website?
Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.
Automation is Key
Understand that the attacks affecting a large number of website owners in the prosumer category (a term I’m using to describe website owners in micro, small, and medium-sized businesses leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, that’s an important subject to revisit as it’s still very relevant today.
The benefits of these automated attacks have not changed because they still provide the attacker:
- Mass Exposure
- Reduces overhead
- Tools for everyone regardless of skill
- Dramatically increased odds of success
It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence, I am referring to the order of events an attacker takes to compromise an environment.
A very simple illustration of the sequence would look something like:
- Reconnaissance
- Identification
- Exploitation
- Sustainment
The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories – attack of opportunity and targeted attack.
Attack of Opportunity
Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawled the web. It could have been something simple, like having a plugin installed, or maybe displaying the version of a platform.
In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.
These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla)? If so, is the website also running any exploitable software (i.e. software vulnerabilities or bugs in code)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.
The sequence of events can happen in a matter of minutes, days or months. It is not a singular event. Instead, it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.
Targeted Attack
This is often reserved for the larger businesses but not always. Think of the NBC hack in 2013, or the recent Forbes hack. There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult yet rewarding. That being said, a very common form of targeted attack, known as a Denial of Service (DoS) attack, is when the attacker works to bring down the availability of your site. This is popular with competing businesses. They can be deployed against big or small sites, and can be driven by competition or pure boredom and need for challenge. These attacks can range from very simple to very complex.
Hacking Motivations and Drivers
Now that we have a better appreciation for the how, let’s turn our attention to the why – why websites get hacked?
Economic Gains
The most obvious of the reasons is economic gain. This manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.
A Drive-by-download is the act of deploying a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.
Blackhat SEO spam campaigns are not as devastating, however, in many instances more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This form of attack runs rampant in the pharmaceutical space, but has extended into other industries like gambling, fashion and others. What they do is inject links through your website, sometimes you see them. Sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.
System Resources
There is one motivator, the use of your resources, that many don’t talk about. These are things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off yours.
You have likely heard of large botnets that I have also referenced above. Botnets are nothing more than interconnected systems across the net. They can be desktops, notebooks and even servers – similar to your webserver employed to perform tasks simultaneously. These can include Denial of Service attacks, brute force attacks, or even some of the automated attacks we’ve gone over.
These attacks target your system resources and are dangerous mainly because of their ability to attack without you – the website owner – even realizing it. You go about your day with no worries, your website appearing to be in good standing and no complaints. Then one day, out of the blue, your host shuts you down, your usage bill is through the roof, or you receive a notice from the authorities about your hacking attempts.
Hacktivism
This motivator is perhaps the hardest to contend with and understand. Similar to others, the drivers for these attacks are monetary or abusive. However, they are often protesting a religious or political agenda; showing off to peers within the hacking community, using it as bragging rights.
A very common form of this can be identified with Defacements. The point of these attacks often comes down to awareness and can be combined with other attacks, but in our experience they are often benign and create more embarrassment to the site owner than affecting their users.
Pure Boredom
Something that always catches folks off guard is the idea of people attacking a website out of sheer boredom and amusement. It’s unfair to say they are always young, but a good percentage of the time these attackers are computer-savvy teens with nothing else to do.
There really isn’t much to say about this, other than, put your kids into sports!!
Good Security Begins with Good Posture
It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand doesn’t make it disappear but rather amplifies the impact. I assure you that attacks happen more often than not, and Google agrees! They blacklist close to 10,000 sites a week for malware and flag over 20,000 sites for phishing every week.
Bruce Schneider likes to say:
As a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.
This statement becomes apparent when I speak with website owners and they say, “I’ve had a website for 10 years and never been hacked. I don’t need to worry about it.” Those owners always make for the most interesting and painful conversations when the hack does occur.
I like to think of website security in the form of posture. It is through good posture that you position yourself for success.
Remember, security is not about risk elimination, but rather risk reduction. Risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.
13 comments
This a great post I can send to people when they ask, “Why would any one do this?” Thanks.
I couldn’t agree more with this quote, “Remember, security is not about risk elimination, but rather risk reduction.” Yes! It’s just like trying to deter car thieves. Can you with 100% certainty secure your car. Nope. Can you discourage the thief from trying to steal your car by having an electronic alarm, a club and hiding your valuables. Yes!
Correct!
Looking forward to an article following this one “And what do companies do about it to prevent it”
Hi @petrpinkas:disqus I’m curious, this is an interesting topic. Do you mean what does the website owner do? Or what do the service providers do?
Website owners and furthermore even the companies and maybe even the users. I mean – do they know they have to have proper security, strong passwords etc.? Seems like not. Willingness to spend some portion of the budget on security seems like a missing spot right now.
Excellent post! Most of our small business customers think they are being personally targeted. I’ll be sending them a link to this article.
Perfect, that’s exactly why I wrote it.
In answer to the question, “And what do companies do about it to prevent it”
Rather simple actually. In my experience over 90% of all websites are compromised for one simple reason:
Failure to upgrade
More often than not the owner of the website is simply unaware that WordPress or Joomla (for example) require regular updates. Web designers come and go in the business quite frequently, and as they finish a job or let go for various reasons, client is left with with a common dilemma–should I update plugin X, and if I do and the site breaks it might cause me money… and human nature takes over.
The cycle of neglect goes like this:
– Web designer or friend helps build the website
– Web designer or friend become bored, quits for another job, or fired from the job
– Client does not know what to do.
The concept of updates are an unknown, so website simply ages then become exploitable over time.
– Random drive by bots note site has installed exploitable plugins or scripts
– Site is compromised an client pays someone to help fix the problem, or a compassionate bystanders offers help, or the problem just lingers on for months.
– Problem is resolved, and and in a great number of cases, client no wiser, then becomes re-hacked year after year…
It’s a sad state of affairs that greatly exemplifies the state of the industry, human nature, the Internet entitlement mentality (the cost of free), and the complexities associated with managing an online business.
Thank you for the useful post. I unfortunately fell into that trap with the lack of updates. Any way I can retrieve any files? I just want the text back! Two years of blogging GONE!
176.102.34.137/safezone what is the meaninf this i cannot go to the web that i wanna go its regarding my business please helo
Thank you for writing this post. I’m about to redo my site and trying to read up on various ways to keep it protected. Appreciate the tops and info!
Thank you for the useful post. It makes a lot of sense and as a blogger I fully understand the risks a lot more. No one could have gained anything from hacking my two year running blog, but it’s all gone now! Is there any service available out there that may help to look at my case and try to retrieve the text of my blogs? Then I’ll rebuild it…
Comments are closed.