Website Hacking and Prevention
Part 1: Why, Who, and How
As more and more people are 'coming online', the amount of valuable personal data being exchanged on a daily basis has given rise to a culture of cybercriminals who look to gain access to this information on a mass scale for a variety of nefarious purposes. The act of hacking your personal or business website is one of the first steps in this process. With over 2.4 billion users worldwide in 2012 and a 78% user rate in North America alone, there's no question that the internet has grown exponentially in recent years. The online world offers countless new opportunities in business, communications, and media that could scarcely be imagined a few decades ago. With the more recent leaps in mobile technologies, it can't be denied that we have become progressively more integrated with technology than ever before- it's become a fact of life.
Why hack MY website?
There is often a misconception that just because your website doesn't store any "sensitive" information that it is not a target for cybercriminals. This however is not the case. When a website is hacked, it usually means is that some code has been inserted which will display SPAM content or redirect your visitor's computer to a 3rd party web server hosting malicious content. The goal here is not necessarily to gain access to information stored on your webserver, but primarily to infect and gain access to the computer of those who visit your website. Whether you host a site for your small consulting business or a blog about insects in the Amazon does not matter to cybercriminals, they are after your website's traffic, and the more traffic from more sources the better.
Who is trying to hack my website?
Cyber attacks can be categorized into 3 general types:
Mass Malware or SPAM
This is the most widespread type of cyber attack which (as described above) is geared towards displaying 3rd party content on your website or infecting the enduser's computer with a worm or Trojanstyle program for the purposes of gathering useful data from that machine (such as banking credentials), sending and distributing spam, recruiting the computer into a botnet, creating / deleting files, or some combination of these. The term "botnet" refers to a collection of independent computers ("bots") that are networked by a 3rd party as a means of pooling computing resources for a variety of purposes. There are both legal and illegal forms of botnets. An example of a legal botnet is the way the SETI Institute (Search for Extra Terrestrial Intelligence) offers internet users a way to participate in their cause by installing software that links their computer to a central location. When the user's computer is inactive for a certain amount of time, it will connect to SETI in the background and allow a portion of their system's resources to be used to help process incoming data from satellites scanning the sky.
Conversely, a computer user usually has no idea they are part of an illegal botnet as they are recruited involuntarily after being infected with malware. One example of this was the "Flashfake" botnet which first appeared in September 2011. This botnet was revealed to have infected over 600,000 machines, nearly all of which were running the Mac OS X operating system. By visiting sites infected with malware, the users were directed to a 3rd party host which exploited vulnerabilities in the Java platform causing a Trojan program to be downloaded directly to the computer. This Trojan gave the creators of the botnet access to their systems, and were used install additional software that hijacked the users' web browser for use in a "clickfraud"scam. In a clickfraud scam, a company will advertise on a website on a payperclick basis. The more clicks, the more the company pays the site hosting the ad. The Flashfake botnet was used to generate as many fraudulent clicks as possible in an automated fashion, presumably making the botnet operator a great deal of money. Illegal botnets such as this can also be used to distribute SPAM email or participate in DDoS (distributed denial of service) attacks, where a target website is overloaded with page requests causing it to crash.
This is a somewhat less common attack which, as the name suggests, takes a more targeted approach. Attacks of this kind are looking for a certain type of data in particular and try to gain access to large deposits of information like databases. An example would be a targeted attack on retail websites which house large databases of customer information. The goal being to steal mass quantities of information and then monetize it by fraudulently selling to 3rd party advertisers. Keep in mind a targeted attack and a mass malware attack are not mutually exclusive and could be used in conjunction. A mass malware attack could be used to retrieve information like FTP login credentials from infected users to gain access to any websites that user has admin access to. This harvested data in turn could be put to use in a more targeted attack, or sold for that purpose.
APT (Advanced Persistent Threat)
Though the least widespread type of attack, the Advanced Persistent Threat has the potential to be the most damaging. In this case, the attack is aimed at a specific entity like a particular company, foreign government or political organization for the purposes of ongoing sabotage or espionage. Unlike the previous 2 types of attack which go after whatever target "works", the APT generally has a well defined target and mission and the perpetrator will not simply move on to another target if they encounter resistance. In this case, more sophisticated means usually need to be employed to mount a successful attack, and for this reason, APTs are more often statesponsored acts of cyber warfare than a lone hacker. An example would be a large multinational corporation trying to take out a foreign competitor by either sabotaging their business, or the direct theft of Intellectual Property.
How was my website hacked?
Step 1 for anyone trying to commit cyber crime is to gain exposure, which is to intercept web traffic and direct or "expose" it to their malicious content, and that is where YOUR website comes in. There are several ways to potentially gain access to a website. A common trend in recent years has been the widespread use of Content Management Systems (CMS) such as Wordpress, Drupal, and Joomla to name a few. These systems offer a standardized platform for creating websites with little or no knowledge of the various programming languages that are doing the work in the background. The majority of these systems use a database backend to store information (such as page content, images, and blog posts) allowing the user to install different design templates with relative ease while the database worries about where to put the content. While this makes life easier in one sense, it can open up the website to some problems. In order to make use of a database this way, the CMS needs to use a language called SQL (Standard Query Language) pronounced "sequel" to request information from the database in different forms to be displayed on the website.
Due to the standardized nature of CMS's, the way webpages interact with the database is always done in a predictable way for everyone using the system, and, if there are any vulnerabilities in that system, they can be exploited on a mass scale. Sites using a database (not limited to CMSbased sites) are potential targets of "SQL Injections"; one of the most common and potentially dangerous security issues on the web. Hackers (or an automated hacking program) will target input fields on websites, such as search bars or email forms, and input SQL statements designed to pull information out of a database, which can include everything from proprietary data (targeted attack) to user and admin login information for your whole website. Once that information is extracted, code can easily be added to your site that will display SPAM on your website, or expose users to malicious content hosted elsewhere. This kind of security breach is not the sort of thing that your web hosting company can defend against, the responsibility lies more so with your web developer (or CMS distributor) to ensure the database interactions they author are done using secure techniques and tested for vulnerabilities.
Continue to Part 2 on Prevention & Recovery.