Following my article a few weeks ago Why bother to update WordPress?, I received several replies from people who don’t believe their sites could be targets. I tried to explain but, as luck would have it, I stumbled upon an excellent article from the Sucuri Blog, answering why all sites are vulnerable.
Tony Perez (Co-Founder / CEO at Sucuri) has very kindly agreed to let me reproduce it here and he perfectly sums up why even your website could be hacked. Most attacks are not personal, which means everyone is at risk.
Why Websites Get Hacked
By Tony Perez on February 26, 2015
I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up: Why would anyone ever hack my website?
Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.
Automation is Key
Understand that the attacks affecting a large number of website owners in the prosumer (a term I’m using to describe those website owners in micro- small – and medium sized business space leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, it’s important to revisit the subject as it’s still very relevant today.
The benefits of these automated attacks have not changed, they still provide the attackers the following benefits:
- Mass Exposure
- Reduces overhead
- Tools for everyone regardless of skill
- Dramatically increases the odds of success
It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence I am referring to the order of events an attacker takes to compromise an environment.
A very simple illustration of the sequence would look something like:
The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories; attack of opportunity and targeted attack.
Attack of Opportunity
Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawl the web. It could have been something simple like having a plugin installed, or maybe displaying the version of a platform.
In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.
These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla! etc.)? If yes, is the website running any exploitable software (i.e. software vulnerabilities or bugs in code that can be exploited)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.
The sequence of events can happen in a matter of minutes, days or months. It is not a singular event, instead it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.
This is often reserved for the larger businesses, but not always. Think of the NBC hack in 2013, or the recent Forbes hack.There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult but the gains can be astronomical. That being said, a very common form of targeted attack can be seen in something known as a Denial of Service attack in which the attacker works to bring down the availability of your site – common between competing businesses.
With that in mind, targeted attacks are not always reserved for the big boys. They can be deployed against smaller sites and can be driven by competition or pure boredom and the need for a challenge. These attacks can range from very simple to very complex as well.
Hacking Motivations and Drivers
Now that we have a better appreciation for the How, let’s turn our attention to the Why. That is why you are reading this.
The most obvious of the reasons is economic gain. This often manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.
A Drive-by-download is the act of deploying what is known as a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software like you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.
Blackhat SEO spam campaigns are not as devastating, however, in many instances can be more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This is rampant in the pharmaceutical space, but has also extended to other industries like gambling, fashion and many others. What they do is inject links through your website, sometimes you see them, sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.
There is one motivator, the use of your resources, that many don’t talk about. When referring to resources, I am talking about things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off your stack.
You have likely heard of large botnets and I have also referenced them above. Botnets are nothing more than interconnected systems across the net; they can be desktops, notebooks and even servers – similar to your webserver. They can be employed to perform tasks simultaneously. These can include Denial of Service Attacks, Brute Force Attacks, or even some of the automated attacks mentioned above.
These attacks that target your system resources are dangerous mainly because of their ability to attack without you, the website owner, even realizing it. You go about your day with no worries with your website appearing to be in good standing and with no complaints. Then one day out of the blue, your host shuts you down, your usage bill is through the roof or you receive a notice from the authorities about your hacking attempts.
This motivator is perhaps the one that’s the hardest to contend with when it comes to getting your head around it. Similar to others, the drivers for these attacks are monetary or abusive. However, they are more finding a way to protest around a religious or political agenda or to show off to peers within the hacking community.
A very common form of this can be identified with Defacements. The point of these attacks often comes down to some form of awareness. This form of attack can be combined with others, but in our experience often are somewhat benign and create more embarrassment to the site owner rather than affecting their users.
Something that always catches folks off guard is the idea of people attacking website out of boredom and amusement, but it’s very true. It’s unfair to say they are always young, but a good percentage of the teim they are teens bored at home.
There really isn’t much to say about this other than, put your kids into sports!!
Good Security Begins with Good Posture
It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly. I assure you they happen more often than note, and Google agrees being they blacklist close to 10,000 sites a day for malware and flag over 20,000 sites for phishing a month.
Bruce Schneider likes to say:
“As a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.”
It is a very true and a very sad sentiment that I have to agree with. It becomes very evident when I speak with website owners and they say, “I have had a website for 10 years, never been hacked, I don’t need to worry about it.” Those also always make for the most interesting and painful conversations when the hack does occur. Some go as far to accuse us, “I was fine then hear you speak, or read your post.” A bit over the top, I agree, but it gives you a very small window in the state of mind once the hack does happen.
I like to think of website security in the form of posture. It is through good posture that you position yourself for success. I take this from my Brazilian Jiu jitsu training, where its through posture that you can help prevent positions that would see you in a lot of pain.
Remember, security is not about risk elimination, but rather risk reduction. You have heard this time and time again, risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.
About Tony Perez
Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.