Why and How Websites Are Hacked

Some attackers have automated scripts to run through the four steps above to set up malicious websites that host phishing pages or other scams. Technology providers have caught onto this, so they might protect you by blocking or warning you about visiting a website that was only just recently created and has no “online reputation.” It is like a game of cat and mouse—where business services are provided, attackers pop up to try and take advantage of it, and the security community reacts.

Some attackers get more creative. Why create their own domain and website when they could just use an existing one? And one way to get a website is stealing or hacking into yours (because asking nicely to use your website for crime probably won’t work).

This is another case where being “low-hanging fruit” on the internet tree bites us in the bum. Attackers will simply scan the internet for poorly secured websites to hide their bad stuff in. Have you ever been linked through to a phishing website, and noticed the URL looked odd? Perhaps it looked like a website that belonged to a small business, but it had a page that looked like a fake Microsoft login page. The website owners usually don’t notice because the page is buried in the website hosting panel, away from their site. There is also no link to it from the main website—someone would have to know the full URL path to see the page. It is like running a physical storefront, with criminals using the back door to run illegal operations. It might sound like we have been watching too many mafia movies, but these are real situations that happen.

You might think, what is the harm? So long as the attacker doesn’t destroy your website, why not let them co-exist? This isn’t a good strategy to follow because once their pages get reported (which will happen), you are the one who feels the impact. It could result in a negative impact to your online reputation by:

• getting your domain and website flagged as “bad” or “malicious” by search engines (like Google) and web browsers

• difficulty with having customers visit your website or receive your emails due to your domain’s reputation

• getting your website taken down by your hosting provider or your domain name released by your registrar.

I have spent a lot of time working with small businesses to help clean up their websites after an attack. It can be hard to undo the reputation damage and clean up the mess, and often takes much longer to clean up than it does to secure it in the first place. So consider it time well invested rather than damage control after.

After finding a poorly secured website, in addition to hosting phishing pages, attackers might opt instead to inject some of their own code into the website. For example, they could alter the checkout page of your website to steal copies of credit card details as they are entered. Alternatively, they could inject code that steals the entire transaction, preventing you from getting paid and the customer from receiving goods. It might not be obvious right away what has happened, but as weeks pass—and as you notice a decrease in sales, and your customers notice they haven’t received goods—you might be in for quite a lot of damage control and clean up.

Imagine if you had to go through the trouble of re-hosting or cleaning up your website, and repairing the damage caused by lost sales and data. Would your business persist? At the very least, these are all distractions from running your business, which might already be running lean on resources.

Now that we understand what an attacker’s goals are with our website, we can understand and close the weaknesses and gaps they look for to prevent them from reaching their goal.