Every Website Is Being Hacked

EVERY website is being hacked. And we do mean EVERY website! Now to be fair we can’t make that claim with absolute proof which would mean looking at the data on every website and show the evidence of the hacking attempt. But we are making what we believe is a very reasonable extrapolation. In almost a decade of managing a multitude of websites, we’ve yet to see one that wasn’t probed by a hacker in some way or other.

Here’s an example of a log from this morning as I wrote this post!

536 different hosts attempted login into this one particular site!

When I say to our various clients that EVERY website is being probed by hackers they look at me rather incredulously and think I am exaggerating. I am not. Sometimes I show clients my website admin console and asked them to pick a site at random. We then log into that site and look at the log files and we will see things like this:

CLICK TO ENLARGE

This screenshot shows a few examples of how hackers try to login. One is by trying to use the user ID “admin” which is the default WordPress user ID. Since they know what is normally a valid administrative account user name, the hackers try various passwords with that ID. However, in our case, we disable the user ID ‘admin’ and automatically lock out anyone who attempts to login with that ID.

The hackers can also figure out other user ID’s. You can see one of these in the screen shot: justcallmebilly

We really can’t prevent hackers from figuring out valid user names but we have other ways to circumvent this particular approach from working.

Sometimes we look at the IP addresses to see where these hacking attempts are coming from but often the hackers are using VPNs which makes it appear they are coming from a different physical location. That’s the case with the first two IPs in the list which are US based. The third one however is from the Netherlands.

CLICK TO ENLARGE

After seeing these things, clients are generally on board with my statement that every website is being hacked but often ask the follow-up question “Why do they care about my little site here in ….”.

My answer is that they don’t. They don’t know who you are and don’t care. And that’s where we get into how this actually works.  People think of a website being hacked as some guy in a dark basement typing away on a keyboard. But in reality, the vast bulk of hacking attempts are done by bots.  These are computer scripts that grab website addresses from publicly available information and then the software program runs the script against that URL attempting to get inside the website. This can be done by attempted logins and other ways. Realize that there are more ways into a house than just through the locked front or back door.

Once clients understand this, the next question they invariably ask is “What do they want? I don’t have anything on my website of value!”

Well…yes you do! For one thing, you have computing resources. If a hacker can get control of your website he can use that to launch attacks on other websites. And you will look like the bad guy!

It’s estimated, by the way, that there are hundreds of millions of computers involved in hacking attempts worldwide.

According to Purplesec cybercrime is up more than 600% during the CoVid pandemic.  This article provides a wide-range of hair-raising statistics about cyber crime. We’ll share just a few to get your attention:

• 92% of malware is delivered by email
• 98% of mobile malware targets are Android devices
• Over the lat year MacOS malware has increased by 165%
• 7 out of every 10 malware payloads were ransomware
• It’s estimated that 230,000 new malware samples are produced EVERY DAY
• Over 18 MILLION websites are infected with malware at a given time each week
• 1.5 Million new phishing sites are created each month.

This article says that in an analysis of nearly 4000 confirmed security breaches over half were a result of hacking attempts, followed by phishing which accounted for 33%. The third largest culprit was malware accounting for 28%.  The article also says that 99.9% of accounts get hacked for one reason only –  not using mult-factor authentication.

This article is one of many that explains why hackers hack.

The number one motivation is financial gain. This can include various identity theft related crimes such as:

• Stealing money from your bank account
• Taking out loans in your name
• Opening a credit card in your name and using it
• Creating fake social accounts in your name in efforts to scam other people
• Selling data on the dark web
• Blackmailing victims with information gleaned
• Selling malware

Beyond financial gain there are a variety of other reasons hacking occurs. This includes various political agendas, corporate espionage, personal revenge, causing harm for enjoyment, proving hacking capability (Facebook is often a target in this regard) and other less obvious reasons.

Knowing all this, what can individuals do to keep their data safe?

1. Use a password manager

Using a password manager that can create long (35 characters or more) passwords that are only used once means user will avoid a few issues that people who don’t use password managers face:

a. Reusing passwords – this is bad practice because if you get compromised on one site, you run more risk of being compromised on other sites.

b. Using short passwords because you are manually typing them in or they are easier to remember – again, another bad practice – short passwords are hacked much easier than long ones as there are far less combinations of the characters. And if you can remember the password chances are it’s a simple password that doesn’t have a combination of upper and lower case, numbers and symbols.

c. Malware programs such as keyloggers if present on a user’s computer can capture passwords typed in and transfer them to the hacker using the user’s computer resources.

Again, using a password manager avoids these issues. And in practice, as a bonus,  you will find it’s actually much more efficient! i.e. it’s faster as you are auto-populating your user name and password.

2. Use multi-factor authentication.

This either involves having a code sent to your email (which hopefully is not compromised!) or using a code generator. With the code generators a new code (generally six digits) is generated every 30 seconds. You must enter the correct code within the time limit or wait for the next code. Another way is to have a code sent by SMS message (but this is viewed as less secure than using a code generator program). Another way, less common but very secure is to use a hardware key such as Yubikey or Nitrokey.  This article covers this in more detail.

3. Be careful with links and attachments in emails.

You can verify links and attachments using Virus Total. 

4. Use anti-virus software on your computer.

This includes Macs! While Apple devices are less prone to viruses and other malware they are most definitely not immune to them.

5. Back-up any data you don’t want to lose. And then back it up again.

This advice which applies to individuals also applies to websites.