How much is your website worth on the Black Market?
Web applications are becoming a vital part of our everyday life. Almost any application has a web interface, or a web API. Microsoft and Google are moving their flagship products to the cloud accessible and manageable via web interfaces. Even mobile applications interact with web interfaces to send and receive data. Almost any database in the world is connected to a web interface or web application. However, global “webization” has many hidden threats that companies and individuals do not realize. In this blog post we will try to explain why hackers are targeting your website, and how they can make money on it.
Web applications are becoming a vital part of our everyday life. Technologies migrate to web, as it is one of the most simple, efficient and compatible platforms to deliver any type of content. Almost any application has a web interface, or a web API. Microsoft and Google are moving their flagship products to the cloud accessible and manageable via web interfaces. Even mobile applications interact with web interfaces to send and receive data. Almost any database in the world is connected to a web interface or web application.
However, global “webization” has many hidden threats that companies and individuals do not realize yet. People seriously underestimate how attractive and valuable their websites are for hackers.
In this blog post we will try to explain why hackers are targeting your website, and how they can make money on it.
Rule #1: any compromised website can generate profit to cybercriminals
Any website, regardless its size, geographical location and type of business it belongs to, can bring money to cyber criminals. Hacking is about business, and business is about efficiency.
Black Market follows the fundamental laws of economy: spend less and get more. Hackers can sell a high-profile website for about $1000 dollars, while a small website will probably bring them just about $1.
One of the public forums offering access to compromised websites
However, usually it’s much faster, easier and cheaper to compromise 1000 small websites rather than 1 high-profile website. This is why hackers keep crawling the Web for vulnerable websites without rest.
Rule #2: your website is just an item on the Black Market regardless who you are / what you do
Your website is just an item that has a price on the Black market. Not because hackers really care about you or your business, but because your website can be sold for various types of illegal activities, or used in chained attacks against other users and companies.
Even a small website may have a great value in chained attacks
First of all, let’s see how hackers will find out that your website exists (assuming that it’s small or private website). Cyber criminals employ various robots that crawl the Web 24/7/365, and look for vulnerable websites. Crawlers are usually designed to perform two actions: compromise a website and log technical information about it.
Compromises are usually performed via publicly known-vulnerabilities in popular CMSs, 0days in various plugins and third-party CMS’s components, or even by default/weak passwords. If you are using a vulnerable version of Joomla, WordPress, or any other popular CMS - your website will be easily compromised and prepared to be sold.
Otherwise crawler will log all technical information it can gather about your website (e.g. CMS version, admin panel location, installed plugins, etc) and store it in a database. Cyber gangs maintain large archives with such information, and as soon as a vulnerability in your CMS, or one of its plugins, will be publicly disclosed, hackers won’t need to re-crawl the entire Web looking for websites vulnerable to this particular flaw.
So, don’t be surprised when Drupal announces that all the websites not patched within few hours should be considered as compromised.
Rule #3: quite probably your website is already compromised and being sold on the Black Market
Usually, once hackers will get access to your website they will patch the vulnerability used for intrusion in order to prevent other hacking groups from getting in.
Then they will install a backdoor (many of which are not detectable by any antiviruses and malware scanning services), and start selling access to your website on the Black market.
Black Market: the life-cycle of compromised websites
People who buy compromised websites come from many different niches of criminal business, but mainly they will use your website to install malware and infect your visitors, send spam, perform DDoS attacks, steal your traffic/visitors, host illicit content on it, or even use your website in chained attacks against large companies and organizations.
Rule #4: your customer databases may cost much more money than you think
Many online retailers and e-commerces seriously underestimate value of their customer database on the Black market. Today hackers don’t target only credit card or social security numbers - they target almost any type of user accounts. And even a 1’000 user records database is a well-traded item on the Black market.
One of the forums selling millions of compomised records
There are hacking teams specializing in massive password re-use attacks. These teams buy as many compromised databases as they can, and join them in a central database that is searchable by email, name or IP address of victims. Central database may contain hundreds of millions of compromised users’ records from all types of websites. Cyber criminals make money by selling information from the database to other hackers that are looking for a precise victim. If victim’s credentials are found in the databases - quite often they can be used to hack into other victim’s accounts, as people still tend to use same or similar passwords for all their accounts.
Spammers also willingly buy information about goods your customers order, to which newsletters they are subscribed to, how old they are, in which country do to they live, or what are their hobbies. Such information helps them to maximize spam targeting and thus its efficiency.
Stolen databases have a very long period of depreciation – at least 1-2 years, during which these databases are being sold and re-sold many times to many different buyers who have very different aims and goals. Therefore, consequences of a database compromise may last for years. At the end, the database will probably end up being publicly exposed on PasteBin.
Rule #5: your spending on digital marketing and SEO may be used to promote your competitors
If you google for keywords like “purchase quality traffic” or “buy targeted clicks” you will find thousands of websites offering about 1 million visitors for less than 2000$, while Google Ads will hardly bring you 10’000 clicks for the same budget.
Cheap traffic offering
In some cases, it’s just a fraud, and you will get 1 million of clicks generated by bots that will stay less than 1 second on your website. This will rather harm your website reputation and SERP ranking.
However, some of such websites offer acceptable or even good quality of visitors to your website: a traffic stolen from other websites, or Grey traffic.
As an example, let’s imagine that there are ten compromised websites that sell Christmas gifts, and all of them regularly spend several thousands of dollars per month on Google Ads and banner networks to get high-quality traffic. Once an order for Christmas gifts traffic is placed on the Black Market, hackers who have these websites under their control will redirect the visitors coming from the paid-ads to a website that offers similar goods. Ten websites will pay for one parasite, boosting its traffic for just a couple of thousands of dollars per month. Such type of traffic theft and unfair competition is becoming more and more serious problem in modern e-commerce.
Rule #6: your small website may become a part of big game
Last, but not least, your website may just get on the way of professional cyber mercenaries targeting a specific person, company or governmental structure.
When professional Black Hats receive a VIP target to hack (e.g. businessman, politician, celebrity, or known scientist) they won’t probably start frontal attack against the main systems of their victim: it’s too expensive and pretty long. Nobody will purchase a $200’000 0day exploit and prepare complicated APT attack if there is much faster and less expensive way to get what hackers need.
Your website may be the weakest link in a big hack
Imagine, that the victim regularly visits a blog, online shop or a sport club’s website. What hackers will do before launching expensive attacks:
- Compromise a website where their victim is registered. Almost any encryption that web applications use today to hash users’ password can resists just several hours to various techniques of bruteforce attacks. As soon as hackers will get their victim’s password in plaintext, they will re-use it (or its variations/combinations) on other resources that belong to the victim. If they can get victim’s email password, they usually can restore any other passwords (e.g. from social networks or even payment systems) by this email. Secret password re-usage is also a common case.
- In cases where victim doesn’t use same password or use Two-Factor Authentication, hackers will backdoor the web application in such a manner that when the victim will log-in for the first time hackers will immediately know his or her operation system version, browser, plugins, Geo location, type of device used, etc. The victim will not notice anything at all. For the second login, the victim will be silently infected with a custom-made malware tailored for the victim’s device and software. Now hackers have unlimited access to the victim’s data, bingo.
- Upon completion of the operation, malicious functionality of the web application will be silently removed, logs erased, and even CIA with Europol will never find out where and how the victim was compromised.
But don’t think that if Bill Clinton or Lady Gaga are not among your visitors you are safe. Quite often VIP persons (targeted by cyber criminals) don’t manage their computers, emails and even social network accounts themselves, delegating such type of work to numerous assistants. Guess who will be hacked in this case? Right, the assistants, who may be among your regular visitors or customers.
How hackers will know about these people hobbies and the websites they regularly visit? Google and social network can easily expose 80% of people from developed countries showing their hobbies, activities, personal life and websites they like and they visit.
Ilia Kolochenko, High-Tech Bridge's CEO, says: "Today very few companies devote enough time and resources to web application security. People seriously underestimate the impact a vulnerable website may have on business. Web developers concentrate their efforts on cross-platform compatibility, mobility, and new functionality of web applications, putting security on the very last place of their priorities. Very few companies, including professional software developers, have security as a part of their SDLC.
Obviously, hackers don't miss such a great opportunity to make easy money on people's negligence. Large incidents and data theft caused by vulnerable web applications and websites will significantly grow in the near future."
In response to the emerging threat of web hacking, High-Tech Bridge has released ImmuniWeb®.