Hackers are almost never going after your site in particular. But that doesn’t mean you’re not at risk. If you’ve ever wondered whether you as a small business owner should really be concerned about protecting yourself from getting hacked, the answer is yes– you absolutely need to. You don’t need to attract the particular attention of an individual hacker or be a famous brand to be a target.
First, let’s cover why and how hackers attack your site. Then, I’ll share a real-life experience that happened to one small business who had a security problem, with no countermeasures in place, and how it impacted their business.
How do websites get hacked?
Often, hackers use automated tools to rapidly search huge numbers of websites for known vulnerabilities. This vulnerability is a weak spot that will allow them to exploit your site or the resources of the server that your site lives on.
The search is like trawling for fish with a net– not spearfishing. So you don’t have to be a big business or have a website that gets a lot of traffic in order to get caught.
Usually, this weak spot is a plugin that has a security vulnerability. Once the flaw is made public, the risk of your site being targeted skyrockets, because bad actors are likely searching at scale for any site with this plugin installed.
The original authors of the vulnerable software may release an update that fixes the problem right away. But you still need to install that update to protect your site! So if you don’t monitor your site and keep up with the latest security news, you might get hacked.
Why would hackers be targeting your website?
If your site is hacked, hackers can do things like deface your website, redirect your traffic to other websites (often foreign pharmaceutical sites), insert ads into your content, or even use your server resources as part of a “bot” network for their own purposes.
This is the “why” part of hacking websites. The motivation is usually money. By gaining control of your website, they may be able to direct visitors who wanted to go to your website and send them to a different website.
There are organized affiliate programs to drive traffic to spammy websites, generally for shady pharmaceuticals. An easy way for a hacker to make money is by getting as many websites as possible under their control so their traffic can be hijacked and sent to pharma sites. Meanwhile, the hacker is getting money for every click or a percentage of the sale if the hijacked visitor makes a purchase.
How it happens in real life
Here’s the story of a security vulnerability that I watched unfold in real time.
A security flaw was discovered in a plugin called Social Warfare, which was very popular with bloggers. The plugin adds social media integration and it had tens of thousands of active installations. The flaw allowed pages on the affected website to be redirected to other arbitrary web addresses. This type of vulnerability is often used to direct traffic from a hacked website to sketchy foreign pharmaceutical websites or other dubious sites.
A well-known (and, if you want the insider drama, a total crackpot) security researcher had published the details of exactly how this security vulnerability worked without giving any heads-up to the original author of the plugin. This was not the normal procedure for disclosing a vulnerability.
The normal way would be to contact the author of the plugin and let them know of the problem, allow them time to develop a patch, and once that patch was available, then publicize the vulnerability.
Instead, the security researcher had published a full proof of concept of the exploit, which amounted to a how-to for hacking any website that had this plugin installed. Again, at the time, there were about 70,000 active installations of this plugin. That’s 70,000 websites that were now sitting ducks for whichever ne’er-do-well could type fastest.
Obviously, many were outraged about this, and many sites were hacked as a result. In this particular case, the goal of the hackers who won this race seemed to be to “prank” site owners. Most hacks resulted in websites getting redirected to very obscene content, rather than redirecting to ads or pharma sites.
Within hours, the authors of the plugin in question had released a patch, but obviously that patch needed to be installed in order to protect anyone with this plugin installed. Most people don’t check their websites daily for plugin updates.
I was browsing the comments section of a security news article about this breaking story on a web security forum, as I do often in order to keep in the loop and keep my clients safe. I saw an exchange between an account that evidently belonged to the above-mentioned rogue security researcher crackpot who’d published the exploit and a random blogger whose site had been victim to the hack.
This poor blogger had sent out an email campaign to his entire list with a link back to his website– not knowing he had just been hacked. Hundreds of his readers clicked a link to his site, but were instead redirected…. to pornography.
Immediately, the blogger lost trust and credibility and many people unsubscribed. His mailing list was decimated. His only recourse was to send a follow up email to remaining subscribers, and let the readers know via the website, after it was restored, that the problem had been a result of hacking– but the damage was done.
All because of a bad plugin, a security expert who irresponsibly blabbed to the entire internet how to exploit the bad plugin, and a bunch of script kiddies (unskilled hackers) who took advantage of the situation.
The lesson is clear: any site can be a target, because they’re not just after sites that get a lot of traffic or famous brands. Hacking can be a game of numbers. And the stakes are high. Make sure your site is protected!