This question, from a small-site owner with tens or hundreds of visitors per day, is an unfortunate but all too familiar one.
One morning I started getting emails from my customers complaining that their antivirus reported my site as infected and won’t let them in. It must be some mistake because I don’t have an e-shop. There is just a contact form and information for customers. Is it possible that someone is attacking my business?
The answer, in most cases is, “You became part of an automatized network which leads your users to an Exploit Kit.” (explanation below)
Why do hackers attack small webpages when there are larger targets?
Small websites have a very low frequency of updates, and the possibility that somebody would find and fix malicious code is almost non-existent, which make them attractive targets to hackers. Hackers seek unpatched pages based on open-source solutions because they can attack them quickly and easily. These pages are later used for sorting users – by those who have vulnerable applications on their computer and by those who cannot be attacked – or simply to hide their true identity. Attackers close “the door” behind them by patching the vulnerability that leads them in and simultaneously create another backdoor, only for them, so the page does not show as suspicious when tested for vulnerabilities.
In general, there are three common types of hacking events a web administrator could encounter:
1. Defacement
This type is recognizable on the first look because the site has been changed to display a message from hackers showing off their skills and mocking the web administrator. This is usually a less harmful attack, and although your page was deleted, you don’t have any financial loss because the motivation for this attack was to show the lack of security on your pages and get credit from other hackers. People which make these attacks usually follow the rule, Don’t learn to hack, hack to learn.
For example, there are PHP shells that lets you select the method and reason of defacement and post it online. The image below shows part of a PHP-shell that sends statistics.
According to statistics from Zone-H, there were 1.5 million sites defaced during 2010, and the screenshot to the right shows the reasons for the attacks. A million and half seems like big number, but these are only documented attacks and the actual number would be much higher.
During the last few years, defacement has been used to display political or ethical opinions by attacking sites with lots of daily visitors. This is turn attracts media and gets as much attention as possible. Even antivirus companies are not spared, as you can read in a recent article about the hack against AVAST.
2. Data Mining
The point of a data mining attack is to steal customer’s personal data and credentials stored in various services, usually from e-shops, forums, and gaming portals. Stolen data are then sold for advertising purposes at best and for bank fraud, in the worst scenario. Data mining is hard to notice because it happens quickly and the only sign is high outgoing network traffic when the database gets downloaded.
The basic technique to prevent loss of personal user data is encryption. If sensitive data such as passwords, and credit card and telephone numbers are encrypted and salted with at least 10 characters, the attacker has to have access directly to the source code to obtain salt, and therefore the probability that the attack will be successful is lower.
Using different user databases on every shop or forum, forces users to create lots of easy passwords or use the same password over and over again. The solution to this situation could be using third-party authentication services because they implement a higher level of security to protect user data than free open-source solutions. But no company is 100% protected from hackers: One of the major data leaks this year was the breach to the Adobe network, where 38 million customer accounts were compromised. Even worse is that some of their source codes fell into the wrong hands. Another big intrusion was allowed by vulnerabilities in ColdFusion server and resulted in theft of data from NW3C.
3. Exploit Kits and their network
An Exploit Kit is a set of vulnerability tests and exploits which are launched against a user’s browser in order to execute malicious code without his knowledge. Sites with malicious code are called “landing pages” and they are often located on free hosting services. To achieve user traffic, EK owners create networks from small hacked pages, like the one in the email question we received. Their purpose is to redirect the browser without being detected, so infected web pages do not show any sign of change. They check the browser in the background and send the user silently to a landing page if any vulnerability is found.
The image below shows a redirecting script from a recent campaign which targeted advertisement servers.
The creator of an infected network searches for sites with known security problems and when he gets access to FTP, various templates and applications can be infected to return redirects and hidden iframes.
Web pages which are part of an exploit kit network affect serious consequences:
- Page rank in search engines drops quickly
- Web-reputation sites and AV companies put them on blacklist
- Users without protection are infected with malware
- Users with antivirus drop their trust to website
To prevent infection from automated bots, here are few suggestions:
- Update your CMS and plugins anytime a new version is available
- Change the default administrator name and choose a strong password
- Use antivirus on the computer from which you manage the website
- Update files using SFTP instead of FTP
Samples from this article can be found on Virus Total under following SHA256:
[php-shell] – 3fad3437e7684bae0381a963f0461f647766a13d28fd36201a85172c1d56da6c
[redirector] – d4d20acc0069d55e31a6f94baf83523057e0d0add09c1953e070b6e1aeb09102
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.