Why does web software get hacked?

reconnaissance

SecurityTrails Blog · Sep 25 · SecurityTrails team

Innumerable amounts of technologies, applications and protocols have emerged since the beginning of the Internet. Inevitably, many of them have been left behind – no longer supported and completely forgotten. But many remain valid, even since the early days, and are here to last. We’re talking about websites.

In the 90’s, when the Internet saw a massive amount of new websites, another phenomenon emerged at the same time: a massive amount of website hacking. By then, and until the 2000s, web pages were manually programmed and the concept of CMS had not yet become popular, although hacks did occur day by day.

With the rise of CMS giants like WordPress, Joomla or Drupal, site hacking has become a common situation among webmasters and website owners alike.

According to the Internet Crime Complaint Center in their 2017 annual report, the FBI has received more than 4 million complaints since 2000. A lot of those complaints include hacked websites, causing more than $1.4 billion in damages.

Last year Google also announced a report confirming that website hacking rose by 32% than previous years.

As you can see, hacking is here to stay. That’s why today we’re answering two questions that everyone will ask sooner or later, when they’re burdened by this issue: Why would someone hack my website? And How was my website hacked?

Why would someone hack my website?

Let’s find out why would someone mess with your website – and hack it.

Bored people

These people are usually called script kiddies, and a big part of these hacking attempts come from teenagers who have nothing to do with their time. They’ll target random websites or scan for vulnerable websites with different “scripts” that can do their dirty work.

Most of the time, these people don’t have a real knowledge of internet protocols, vulnerabilities or web technologies. They mainly rely on third-party tools to hack and deface websites.

Money

Anything can motivate website hacking, but one of the most popular reasons is to make money from it.

There many bug bounty programs, also known as “vulnerability rewards programs, to choose from. These programs are ethical hacking initiatives that reward individuals for discovering and reporting software bugs for companies invested in keeping their systems and applications secure.

But malicious “crackers” (those who intentionally break into another’s computer system) act quite differently. They can easily hack your websites, gain access to your FTP or SSH access, and place massive drive-by-downloads to generate income from many large download network services by using your website traffic.

These kinds of attacks tend to happen only on mid-size to high-traffic websites, where attackers can get a lot of money while the site is being hacked.

Sometimes crackers will use your public web space to upload phishing web pages. In this situation, the attacker will copy the entire website front-end interface from reputable banks, credit card providers or payment platforms like PayPal to create an exact replica of the original website.

The fake website is then relied on to cheat users, forcing them to provide actual personal account details including usernames, passwords, credit card numbers and bank account data.

Blackhat SEO is another money-driven motivation for crackers. This works by using your audience to redirect all or part of your website’s traffic into other e-commerce, gambling or pharmacy websites to generate income from an affiliate program.

Use of your system resources

After gaining access to your server space, crackers will try to upload malicious scripts that can be used in several illegal activities using your system resources and services. These include

  • Setting up a remote DDOS botnet.
  • Using your domain name to send outgoing SPAM campaigns.
  • Using the CPU power of your server for crypto-mining, also known as cryptojacking campaigns.

Hacktivism

Hacktivism is a form of online protest, an invasive way for people to claim their rights or support social, religious and political campaigns.

Instead of screaming and burning wheels in the middle of the street, hacktivists will deface popular websites with enough traffic to gain media attention and spread their message.

10 reasons to explain how your website was hacked

Now that we’re familiar with the most popular hacking motivations, let’s explore how your website got hacked.

1. Weak passwords

Although infosec and general computer-related professionals always suggest using strong passwords, users still use very weak passwords. This leads to brute-force hacking over FTP, webmail and public web login areas.

Password hacking

A strong password must include at least 8 characters minimum, uppercase and lowercase letters, numbers, and symbols. This rule is very important to prevent malware infections and hacks.

2. A virus on your local network or PC

Sometimes your local computer can be infected with malware or a virus, the first step toward getting hacked or exploiting your website in many different ways.

Many types of viruses can sniff your local network and external internet connections to capture login details from unencrypted protocols, such as FTP.

Also, most FTP clients (like Filezilla) save their login details (username and passwords) unencrypted on disk, which can later be extracted by third-party software very easily.

Once they get the host, username, and password, they’re ready to upload malicious code and exploit your web space.

To prevent your website from being hacked, always keep your antivirus and antimalware updated on your PC, as well as their database definitions.

3. Cracked software

Nulled software is another way hackers can get into your system. This type of software (e.g. paid scripts for Wordpress, Joomla or other web apps) is downloaded from third-party websites that offer the hackers "nulled" (meaning the licensing module is removed) versions, often including some kind of backdoor that allows your website to get fully hacked.

Using pirated and cracked software downloaded from third-party, untrusted websites can be one of the worst things you can do if you want to prevent hacking on your websites.

Unfortunately, the perception of value often outweighs better judgment. Sometime you’ll be tempted to download a full PC app, along with the crack, in order to avoid paying for it. You’ll save a lot of dollars for sure. But what most people don’t know is that a large part of “cracked” software contains keyloggers, network sniffers, trojans, backdoors and other types of malicious software that can cost you a lot more money later on.

A simple keylogger can log any of the pressed keys from the last 24 hours – and gain valuable login details from any websites you’ve visited during that time.

So remember, whether you use Windows or Mac, it’s always better to buy a license or monthly subscription rather than using pirated software.

Even better, if you decide to switch to Linux, you can get tons of great applications for free. They are open-source and officially released by the Linux community, assuring you they won’t contain any unwanted malicious software.

4. Excessive file and directory permissions

Whenever you use a certain type of PHP-based CMS and web app, they require you to set write permissions for some directories and files.

If your web server is configured to use DSO PHP handler, this means you will need to apply insecure 777 permissions if you need writing privileges for your web apps. This is insecure by default – and against all best security practices – as it requires you to grant writing permissions for everybody.

DSO handler also allows your web server to run websites and apps with a “nobody” user (Apache), which can lead to cross-site attacks over your server and mass defacements.

Dedicated Servers, VPS and Cloud machines should always use suPHP, CGI, and PHP-FPM by default, as they only require 644 to read and 755 to write. These are more secure than 777 because these handlers use their own system users to run the web processes, instead of “nobody.”

5. Using insecure protocols

FTP is one of the oldest protocols we know, once regarded as of the most famous ways to upload data to servers since the early 1970s, when it was created to transfer data from different hosts and servers over the ARPANET.

While FTP does support SSL encryption (FTPS), most our sers who actually use this protocol still upload and download their data the old, insecure FTP way, which sends login details in plain text, without any encryption method in the middle.

If an attacker starts sniffing your network, he can easily capture your login details if you’re using this insecure protocol. That’s why the best way to transfer data from one client to a remote host is to use FTPs with SSL encryption, or even better, with a modern transfer protocol like SSH2.

6. Outdated website software

Most of the hacks we’ve seen in past years happen because website owners, webmasters, and developers are not responsible for the apps installed on the web server. Most modern CMS malware and virus infections come from outdated plugins, themes and core components.

We all know setting up a WordPress website is easy. It’s fast and free for everyone who needs to create a good-looking website, but once the website is online they totally forget about updating the software. This can lead to BlackHat SEO hacks, traffic redirect, outgoing spam, botnets and much more.

Some time ago we released a post about the Top 5 WordPress vulnerability scanners. Using any of the WP vulnerability scanners we listed will surely help you with great suggestions for detecting outdated installations, as well as for hardening your site properly.

Remember that nowadays most modern web apps like Wordpress offer auto-update options which rarely break things and can keep your outdated software secure in mere seconds, after patches are released by the software companies.

7. Social engineering

While some people use OSINT tools to gain valuable data to hack you, others attack with something called “Social engineering.”

This type of intel-gathering technique is based on human social abilities, a way to manipulate individuals into releasing sensitive information like login details, passwords, or other personal information that may be useful for hacking private user areas or remote systems.

If someone has called you or sent you an email or chat request claiming to be your ISP, hosting or domain provider, asking for any personal information regarding your website, then you could be exposed to a social engineering attack.

No serious company will ever ask for your password over the phone, email, SMS or chat sessions. Be aware of this the next time your phone rings and they ask you for anything along those lines.

8. Weak server security

Not all website hacks can be traced to web app vulnerabilities, local virus infections or using insecure protocols. Sometimes it’s not your fault, but accountable to the system administrators in charge of server security.

It’s not something that happens every day, but factors such as outdated server software (including essential OS libraries, packages and the Kernel), not using a good firewall and the lack of WAF or an intrusion detection system can lead to massive hacks on websites. Shortcomings like these can even invite a root compromise with the potential to expose all of your website files and databases to a remote attacker.

Make sure you choose a dependable system administrator or web hosting company that can ensure the OS hosting your websites is properly hardened and secured.

9. Not using Two-Factor Authentication

Two-factor authentication (aka 2FA) is an additional security layer to traditional password-based authentication.

In the old days before 2FA existed, the only thing an attacker needed to grant access to your user account was to guess the password, either by social engineering, exploiting a vulnerability on your code, or running a brute force attack.

2FA enables you to verify if you really are the individual accessing your private user area, by requesting an SMS, Authy or Google Authenticator remotely- generated code. This way, even if an attacker does your username and password, he would be locked out, as he doesn’t have the final code in the authentication chain.

If you haven’t enabled 2FA on your email, web access and other areas, start using it now. It’s widely supported on almost all Internet services.

10. Data Leaks

Data leaks can affect any company or individuals in the world. This happens when sensitive login information is stored in insecure ways, which can lead to public exposure.

Attackers use many different techniques to gain access to this data, whether by using Google dorks, exploiting vulnerabilities or exploiting the outdated systems of your hosting provider.

Always avoid spreading sensitive information on public URLs and services, secure and harden your login and password databases properly with encrypted technology, and deliver information needed only to your most trusted employees.

Don’t send it to temporary interns or untrusted people within your company. They’re another reason to activate the previously mentioned Two-Factor Authentication.

Final thoughts

While there are multiple reasons as to why your site may get hacked, most automated penetration attempts can be prevented easily – by following such security practices as using strong passwords, updating your software, and having a good WAF, IDS and attack mitigation system installed on the server that hosts your website.

However, modern hackers not only rely on automated attacks against your server, they also investigate and generate tons of intel and reconnaissance data about your hosts.

One of the most frequently-exposed services is the DNS server, which can yield a lot of information, like stale DNS records or private intranet records, made public by mistake.

The good news is that there is a great way to audit your DNS zones, IPs and domain names to prevent hacking issues: start using SecurityTrails.


And if you like our security toolkit, move one step forward in keeping you, your company and your customers safe from hackers. Join us and grab your free API account today!