Really, really love this post by Alycia Mitchell at Sucuri. All-Tech Global has long used the services of Sucuri and highly recommend them! If interested, please sign up using our affiliate link by clicking here.
If you want to keep your website safe, it is important to understand the terminology used to describe the causes and effects of hacks. Software vulnerabilities and access control issues are two of the main causes of website infections, and in this post we will define some of the terminology used to describe them. We will also discuss some of the effects of having a hacked website in order to give you a well rounded understanding of both the symptoms and the consequences.
Effects: Terminology Associated with Impacts of a Hack
First we’ll explain a few key terms used to describe the outward signs of being hacked, as well as the impact they have on your visitors.
When a website is blacklisted, a red warning page stops visitors to your website, or your search results might show a text warning. This happens whenever Google detects malware on your site. It can take 24 hours to request a review to remove the blacklist from your website, and this can only occur after you’ve cleaned up the problem. One of our own team members has written about the experience of being blacklisted. Not only is the loss of traffic devastating, but there is a risk that website visitors will not want to return after seeing your website has been compromised.
Google shares their blacklist data with Twitter, other search engines, and desktop antivirus programs. Some of these authorities run their own blacklists too. Many website security services leverage Google’s SafeBrowsing API to scan links for malware and it is just one of the ten major authorities that we include in our SiteCheck results.
There are numerous ways hackers can use your website to distribute spam. There could be a file known as a “mailer” hidden on your website that sends emails from your domain. You might get a blackhat SEO infection that adds links and spammy keywords to your posts, advertising things like viagra, gambling, and discount fashions.
Spam can be sneaky. It can be configured to show itself only under certain conditions, like on mobile browsers. One of the most interesting conditions, however, is to only show the spam to Googlebot. This means your search results – the Title and Description – are filled with spam.
3. Malicious Redirects
When a website is hacked, the attacker can force all your visitors to go to another webpage. Unlike blacklisting, there is no warning telling your user that the website might be hacked. Similar to spam, redirects can be served conditionally to specific browsers or locations. Redirects are often used maliciously to steal traffic and attempt to gain search engine rankings, such as with the recent Bitcoin redirects we discovered.
Common hacks don’t usually target websites specifically, but the risk to your website involves the exploitation of your server resources or your visitors. One of the worst experiences for your visitors is to get a virus on their computer after they go to your website. Drive-by-downloads are maliciously installed on your visitors computers simply for viewing your page and the malicious code left by the hackers. This can lead to your visitors and customers having identity theft or ransomware installed on their computers. These drive-by-downloads are malicious programs intended to harm your customers or enslave their computers for further malicious activity.
5. Data Exfiltration
Data exfiltration is the act of taking information out of your web application that is unauthorized. Consider the various data breaches organizations have faced in recent years, these are examples of data exfiltration. The attacker is set on stealing the information your web application is storing. This is of particular concern to web applications being used to support E-Commerce, in which web applications are processing credit card transactions and / or storing other Personal Identifiable Information (PII) for their customers.
Phishing is on the rise, it’s the process in which an attacker looks to confuse the enduser into sharing their sensitive information. These often come in the form of emails, but can also be found in social media. While this is an attack on the enduser, it’s a payload the attacker injects on web servers once they have access to the environment. What’s most devastating about these payloads is that they are difficult to detect and most website owners realize their web server is being used to trick endusers they’ve never met into sharing their sensitive information.
Phishing attacks on end users are highly effective, and the attackers use of otherwise benign web servers to do the heavy lifting is very problematic for website owners. .
Causes: Terminology Associated With Website Attacks
The more you know about the ways that can let an attacker into your website, the better you will be able to arm yourself against the odds. The following descriptions will help you understand specific attack vectors. We recommend leveraging our Website Application Firewall (WAF) to protect against the attack vectors described below.
1. Vulnerability Exploitation
There are various attack vectors an attacker can try to exploit when trying to abuse your website. One category of attack vectors comes in the form of Software Vulnerabilities. Software vulnerabilities are flaws in the code of an application that leave it susceptible to abuse.
The list is long when it comes to vulnerabilities, but below we’ll list out some of the more common ones your web applications might be facing.
a. Remote and Local File Inclusion
Remote File Inclusion vulnerabilities take advantage of abuse features within programming language that allow a developer to include code from other files, specifically known as the “dynamic file include” mechanism. This vulnerability abuses this mechanism by allowing the attacker to include their own files that reside on their web servers, or other compromised web servers. Local File Inclusion vulnerabilities are similar in concept, but they require the inclusion to occur from a file already on the web server. The attacker still needs to get the file on the web server when it comes to LFI vulnerabilities.
b. Privilege Escalation
This kind of software vulnerability allows an attacker to gain elevated access to your website – including gaining the ability to take over administrator accounts or change permissions on files that allow the attacker to cause further damage.
c. SQL Injection
Structured Query Language (SQL) Injection (SQLi) vulnerabilities are very common and dangerous software vulnerabilities. They are flaws in code that allow the attacker to insert arbitrary SQL queries via input forms from the client (the browser) to the backend database. These input forms can be found in features like search boxes, form fields, and URL parameters.
In certain scenarios, the attacker can download the content of your database, inject spam, destroy your website and a wide range of other nefarious actions. All the posts, pages, comments, users and everything that organizes a CMS is in the database. We explain more about SQL injection attacks and offer examples in a the linked article.
d. Cross Site Scripting
Cross Site Scripting (XSS) software vulnerabilities are perhaps the more common vulnerabilities you find when working with web applications. They come in a wide range of flavors, from stored to reflected to DOM-Based; each one having a different impact and severity. This vulnerability depends on the attacker being able to send malicious code to unsuspecting end-users when they visit a website. This is facilitated through through browser based scripts, which then are executed when the website visitor renders it in their browser.
XSS vulnerability can be leveraged for all kinds of things, from distributing malware, to hijacking or stealing session information. It’s made possible because of improper validation / sanitization within the web application.
e. Remote Code Execution
Remote Code Execution (RCE) software vulnerabilities sit at the top of the hill when it comes to scary attack vectors. This vulnerability happens when a flaw in the code allows an attacker to pass commands, often via the file and stream functions, that the web application / web server then process. It’s the ability to take control of an environment without having access to the environment. A very dangerous proposition.
2. Distributed Denial of Service
Distributed Denial of Service (DDOS) are attacks in which the malicious person is looking to disrupt the availability of your website. They bombard the web application / web server with data making it unusable to any legitimate requests, as it tries to manage and account for the overwhelming load. There is only so much traffic that your website can handle before it becomes slow and then stops being responsive.
If an attacker wants to deny legitimate visitors access to your website, the hacker can flood your site with so many fake visits that your web server won’t be able to any requests. In addition to disrupting access to your website, a Distributed Denial of Service attack can get your website suspended by your host for abuse of resources. We have analyzed some advanced DDoS attacks that use multiple infected websites as slaves to send even more requests to bigger targets.
3. Brute Force
Brute Force attacks focus on abusing your access control mechanisms (i.e., how you log into your web application). This is when the attacker tries to break into your web application by overwhelming the entry point with every possible username / password combination available. Brute force attacks are incredibly common, regardless of the size of your website or the number of visitors.
If an attacker can break into a user account with sufficient privileges, they can edit all of your website files, inject any of the malicious payloads described above, or take a wide range of other nefarious actions.
Good passwords are a big part of the solution, but far from the only thing you can consider in your defense. Attackers are always finding new ways to brute force login pages more efficiently, so you want to protect your authentication with as many layers of security as you can handle.
I hope this list helps clear up some of the terminology we use in our disclosures and discussions about website security risks. This is not an exhaustive list, but it is meant to get you started with an understanding of the complexity involved in website hacks. In order to keep it simple, we have only spent a few sentences describing each cause and effect. However, each of these concepts are very robust, which you will notice if you follow this blog and have an understanding of these concepts.
Remain vigilant and take the most secure path possible!
About Alycia Mitchell
Alycia is the Senior Growth Hacker at Sucuri and she’s passionate about teaching cyber security and best practices. Some of her interests include open-source projects, malware, and DIY publishing. She loves nature and the wilderness, which she thinks is actually a lot like the Internet. Follow her on Twitter at @artdecotech.