When we talk to our clients about website security, it is rare for the conversation to drift into the realms of who is actually doing the physical attack or why “smaller” companies, with no obvious benefits to the attacker, are hacked. What tends to be more of a priority is how we can assist in securing them from future attacks and the associated cost of implementing a robust support package. Interestingly though, understanding the “who” is attacking and the “why” they do it can help companies come to terms with the very real threat to their key customer communication platform and prepare them to secure their site accordingly.

As part of Createful’s client team I am fortunate to spend a lot of my time talking with marketing teams about their digital strategy and how they plan to deploy various online tools to assist them meet their key business objectives. In these conversations a significant amount of time is spent on detailing the positive growth plans these digital tools can deliver for their company, eventually however the “hacking” word will raise its head forcing a degree of reality and pragmatism to dominate proceedings.

HOW DO THEY CHOOSE A TARGET?

Firstly it is important to note that it is rare for the hack of a company’s website to be personal. More than likely it has been an automated attack, similar to one that has affected many other similar sites with the same security weakness. It is not to say that these attacks are never manual, but it is more than likely that a hacker has, in the first instance, deployed a specific attack script against sites being powered by open source systems such as WordPress or Joomla. Imagine a legion of would-be burglars operating in multiple neighbourhoods, scoping each and every 3-bedroom house with a ground floor bathroom window off the latch. Taking that analogy, now ask yourself how up to date is that plugin you installed ages ago and no longer use?

Once a company’s site has been identified as exploitable it will continue to be targeted over the coming days and months. This is not a singular targeting but more a continual scanning of your site in the search for changes or updates that could allow an entry.

Outlined in an article by the Guardian – “Hackers prey on the knowledge that small businesses tend to have lower defences than larger organisations, usually due to lack of financial and human resources. By their very nature, thriving small businesses are innovative and niche, which again is very attractive to the bad guys who may be interested in customer data and intellectual property and know exactly how to pick out the weak targets.”

WHO ARE THEY?

So if it is not a personal attack, who is this faceless nemesis pulling the strings? By researching various tech websites you can find a plethora of information and interviews on who the hackers are, their background, how they communicate with each other on the dark web and most worryingly, how easy it is for anyone with a basic level of programming experience to become a hacker. This particular type of hacker is categorised as a “wannabe” or a “lamer” owing to their reliance on hacker toolkits downloaded from basic online searches.

What comes across time and again in the interviews with “ethical hackers,” is that they first entered the hacking arena as a “wannabe,” hacking for fun, but many have quickly chosen to monetise their skills from their chosen profession. Several of the hackers aspire to retiring in 3 years after having made significant wealth from their particular skillset.

WHAT DO THEY WANT?

Most hackers when they gain access to a system will be on the hunt for user-names, passwords or emails. Simply put, they try to look for personal data that no one should have access to except the owner. This individual data can be bundled and sold in bulk either in full public view on the internet, or outside of prying eyes on the dark web. Whilst the deal values don’t appear to be huge (£100 per each 100k data sets) the volumes of data available to the hackers (in the billions) and the opportunity to resell the same sets mean that revenues of £20k per month are not an uncommon figure for the hackers to be reporting in their interviews (naturally this number is unsubstantiated).

The cast of the 1995 movie ‘Hackers’. Real hackers are not quite as easy to pick out of a crowd.

WHY?

But what is the stolen data actually used for? Why does it command any value? Well, the main use is for spamming by directing unsuspecting traffic to pages that generate affiliate revenue. This instance of hackers abusing your audience can take place directly on your website. Once the attacker has injected links (visible or otherwise) to other sites which get picked up by the major search engines, this earns the hacker more affiliate revenue (commonly known as Black hat SEO hacking). It can also be used as the pathway for more manual attacks, whereby the passwords of individuals obtained from one platform can be used on other sites to target that particular person in cases of identity theft.

A recent survey by business internet service provider Beaming revealed that “One in eight companies admitted that their IT infrastructure had been damaged by malware in the past 12 months, costing an average of £10,516 in time and money spent managing each incident.”

WHAT TRENDS ARE EMERGING?

As technology continues to progress at an exponentially faster rate than we can understand, the more connected digital devices become susceptible to attack. Hackers are clearly relishing the emergence of the Internet of Things (IoT) as it is that which is fuelling the hackers desire to build more and more botnets. The major problem with IoT devices is not their vulnerability but the poor authentication.

The hacking world has clearly changed dramatically over the last 30 years and with new technology increasing risk, it’s even more important to protect yourself.

You can take a few simple steps to help deter hackers: changing your password regularly, making sure to use secure passwords. It is vital to install antivirus and malware software on all your company devices, and to make updates regularly to all software and devices, which may contain important security updates.

To protect your website fully is a much bigger task. If you want more information on the topic get in touch with us at Createful, where we would be happy to discuss further.