Caution! Hacked Website = Revenue Destruction and Expense Nightmare

What You Need to Know about Google and Prevention

You don’t have to sell anything to be attractive to hackers. Just have a website.

When hackers send out their automated attacks they’re rarely looking for your site deliberately. They’re just crawling the web for vulnerable sites. If yours happens to be caught in the net they broadcast, they’re going to hack. Automation is the norm in hacking strategies.

The primary goal is to capture personal information as easily as possible. As Tony Perez of Sucuri puts it, “The benefits of these automated attacks… provide the attacker: Mass exposure, reduced overhead, tools for everyone regardless of skill, [and] dramatically increased odds of success.”

Your website is constantly at risk. Attacks begin with automated reconnaissance. Once a vulnerable website is identified, exploitation becomes the next step with the hacker potentially moving from automation to deliberate manual strategies to keep your website vulnerable.

Have You Evaluated the Risk to Your Business?

Your customer’s money—it’s one stimulus behind these illegal activities. If the hacker can capture credit card information (or even better, checking account information), your website becomes the vehicle to money for fraudulent transactions across the web.

However, that’s not where it stops. Email is a key target warns Dan Ilett on ComputerWeekly.com. “Security companies have also started to find that a higher proportion of intercepted attacks are targeted attacks. E-mail security firm MessageLabs has seen a sharp rise in messages sent directly to senior management, addressed with names and job titles.” What are they looking for? Everything from company secrets to personal financial data.

If your website uses advertising for income, you could see ad revenues drop. One US hacker was convicted after he was caught hijacking 400,000 computers so they displayed his ads. His reward was a commission on every sale the ads generated. Renting his botnet and installing adware earned €120,000. Some might say that isn’t much, however he was only 20.

That perpetrator may have spent time in prison. That’s no reason for renewed confidence that your business is too small to interest criminals. The truth is smaller businesses are “enticing targets” according to Dan Tynan, “because they handle a lot of sensitive information, like credit card numbers… And because they lack the resources of large enterprises, their security is often paper thin.” Your small business is a target specifically because cyber crooks are betting that your security is easier to penetrate.

It’s even possible your website could be the tool used to hijack and network computers together for criminal use. Once a website is hacked it can infect any computer that connects to it. Yes, that includes your business computers.

If these risks don’t sound frightening enough, consider Rorschach Electronics (name changed to get the story). In Warning: Your small business may have already been hacked, Dan Tynan tells how Rorschach found itself facing a $100K fine from its payment processing company for failing to identify a security breach. Even if they win their appeal, they have hefty attorney’s fees to pay.

Will You Wait for Google to Issue the First Warning?

Damage has already been done when you receive an email from Google telling you something like this (emphasis ours):

Dear site owner or webmaster of [your domain],

While we were indexing your webpages, we detected that some of your pages were using techniques that were outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. In order to preserve the quality of our search engine, we have temporarily removed some webpages from our search results. Currently pages from [your domain] are scheduled to be removed for at least 60 days.

Specifically, we detected the following practices on your webpages:

Google then goes on to tell you what they discovered on your website. This could include:

  • Hidden text that can redirect visitors to unsavory websites to malware that infects computers and mobile devices
  • Pop-ups that trick users into making unintentional purchases
  • Key-logging code that steals confidential information such as login, bank info, social security numbers, etc.
  • And more.

If Google is the first to find it, your website is slapped with a black-list message. Prompt action is essential if you don’t want your website removed from action for two months.

Google tells you:

We would prefer to have your pages in Google’s index. If you wish to be reincluded, please correct or remove all pages that are outside our quality guidelines. When you are ready, please visit:

https://www.google.com/webmasters/sitemaps/reinclusion?hl=en

to learn more and request a reinclusion request.

Google makes it clear. It’s your responsibility to ensure your site isn’t spammy. If it becomes a threat to visitors, Google will block access. It’s another way you take a hit on revenue.

Are You Doing What You Can to Reduce Your Risk?

Google has decent instructions in its Help for Hacked Sites in the Webmaster Tools section. on what to do if you’ve been hacked. However, your best strategy is to prevent infiltration. Take these steps regularly to evaluate or maintain the health of your website.

1. Do you update your CMS frequently?

WordPress, Joomla, Drupal and Ruby on Rails are just four of the popular CMS options. Because hackers are constantly looking for vulnerabilities, a reputable CMS solution issues regular updates. Backup your website and install the updates immediately.

2. Do you check for plugins and extensions updates?

Many of the CMS options allow you to increase functionality by adding ‘plugins’ or ‘extensions.’ Keep these up-to-date. If you deactivate a plugin, remove it. Inactive plugins or extensions may still be used to infiltrate your website and execute damage.

It’s best to download from the official site for your CMS. However, Google can serve as an additional tool.

  • Do a Domain search, placing the plugin’s domain name in quotes.
  • Use name search + malware or spyware.
  • Run a vulnerability search, searching for the plugin by name + the word “vulnerability.”

Watch for malicious activity claims. If a plugin has a reported vulnerability on its record, explore how quickly the vendor fixed it. If they took quick action, it’s a sign the vendor is responsible.

Avoid installing any plugin that hasn’t been updated within the last six months. If the CMS tells you it hasn’t been tested with your current version, the plugin might work, yet could become a liability.

Plugin authors often abandon their creations for a variety of reasons—moved on to a new job, graduated, didn’t receive enough donations. Perform an audit on your CMS every quarter to ensure you don’t have any abandoned plugins.

3. Are all ‘themes’ available current?

It’s typical for multiple themes to be available for managing the front-end viewing experience of your users. One will be active, while at least one additional theme may be needed as a fallback if your primary theme ‘breaks.’ Not only should your active theme use the newest version, the inactive ones should be as well. An old theme may contain vulnerable code.

When an update is released, back your website up, and then update any theme installed on the domain to close the vulnerability.

4. Delete “Admin” as a login option and use strong passwords.

If someone plans to hack into your site, their first guess is going to be that there is a user named Admin. It’s the default on WordPress and Joomla. This vulnerability invites brute force attacks—the primary means hackers use to breach your website defenses.

Their next strategy will be to try to guess the password using automated software. Using “Password” equals insanity. If you give membership access to your website, never use “password” for the initial account setup. All it takes is one person to forget to change their password, and you have a vulnerable site.

From the moment of install, choose usernames that are difficult to guess and passwords that use a combination of caps, lowercase, numbers and the symbols above the numbers on your keyboard.

Emails could be collected from your contact or about page, so don’t use them as login IDs. And don’t allow members to use their emails either. Keep this information hidden in their account information.

In addition, don’t use names without some system to create difficulty for the hacker.

  • Make the password at least 10 characters long.
  • Add numbers and/or symbols between syllables.
  • Use a middle name and wrap it around the last name.
  • Add letters or symbols that only the user attaches meaning to.
  • Reverse the order of part of the name.

Scanning for author names on a blog is a common way to guess at usernames!

5. Consider adding another layer of authentication.

Require all IPs to register with the system before usernames and passwords can access your website’s backend. Registration can include a number of security protocols, included cellphone or email authentication.

6. Limit login attempts.

You can suspend brute force attacks by locking users out for entering invalid user names and/or passwords too many times. Also, look into security that blocks any IP that tries to sign in with more than one username.

7. Keep all computers that access the website up-to-date.

Infected web browsers can infect a website. Keep browsers and their plugins current. When Adobe asks you to update one of its apps, such as Flash or Adobe Reader, do so after checking to be sure the request is coming from Adobe, not a malware install in your browser.

Summary

Remember almost all attacks against your website are automated. Thus do anything you can to interrupt automation’s effectiveness. Eliminate vulnerabilities. Update promptly. Act quickly if Google spots something you’ve missed.

If you’re proactive, you reduce your risk and protect your profits. If you need help securing your company website please contact us today with questions or concerns using the button below.

hbspt.cta.load(376446, '861d44ad-a621-45b7-b017-088ad9e9ef6a', {});

Sources: sucuri.net / computerweekly.com / aabacosmallbusiness.com / wordfence.com