Why a hacker wants your website

Source: Ask Wordfence: Why Is an Insignificant Site Like Mine Being Attacked?

At a high level, an attacker views a vulnerable website as a juicy collection of resources that they can steal or exploit:

  • It’s backed by a server that they can use to run their own programs
  • It’s connected to the internet and likely has a squeaky-clean reputation
  • It might include interesting user data
  • It probably has traffic coming to it
  • It is likely important to you

Most of the time, they use those resources to make money. And they continue to find new creative ways to do so.

Using Your Server to Run Their Own Programs

If you’re running a WordPress site, your web server is most likely a fully functioning Linux server with MySQL and PHP installed. Depending on your hosting situation, it may also have a meaningful amount of processing power. (All true for our servers. Note: MariaDB on our servers is equivalent to MySQL)

Cryptocurrency Mining

Since late 2017 there have been massive crypto mining campaigns, particularly targeting WordPress sites. In the most intense period of attacks ever recorded, attackers were compromising sites and using them to both attack other WordPress sites and to mine for specific cryptocurrencies that can be mined efficiently using web server hardware.

This method uses brute force attacks to hack huge numbers of innocent websites and use their combined processing power for crypto mining.

Read this article for a detailed technical case scenario.

Leveraging Your Reputation

Your site reputation makes you a target. All site owners are targets, even if you don’t collect credit cards, or capture and store user data and even if you just have a plain old static website. The reason is that your website has a clean reputation. Your site doesn’t need to be popular or well-trafficked, it just has to be ‘clean’ for a hacker to be able to use it. If your site is not blacklisted by Google’s Safe Browsing list or any other blacklist, then you are ‘clean’.

Hosting Phishing Pages

A phishing page is one that attempts to fool you into sharing sensitive information, like your password or credit card number. An example of a phishing page is a fake login page that gives you the impression you are on a legitimate login screen. You enter your credentials and the attacker logs them and can now sign into your real account and steal data or money (on banking sites).

So why hack your website? Your site probably has a squeaky clean reputation. When attackers hack your site and then use it to host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page hosted on your site.

Hosting Spam Pages and Injecting Spammy Links

Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses.

A great example of this is the supply chain attack discovered in September 2017 that spanned 4.5 years and impacted 9 WordPress plugins. In Wordfence’s blog post about this SEO spam campaign, we exposed how someone purchased the plugins and then used them to embed spammy links in the sites that were running them. The attacker used these links to improve search engine rankings for websites offering payday loans, escort services, and other shady things.

It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can.

Sending Spam Email

Getting spam email past spam filters is a difficult endeavor. Email clients and hosting companies such as xneelo use myriad techniques to identify and block spam. Almost all spam filters rely on IP blacklists to block everything from IPs known to send spam.

That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By hacking your website or email address and using to send spam from your web server, cybercriminals have a much better chance of getting their spam delivered.

Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.

Attacking Other Sites

Sometimes attackers will compromise WordPress sites to attack additional sites. We saw hackers use this approach in the cryptocurrency mining attack we discussed earlier in this article, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.

Hosting Malicious Content

Hackers will sometimes use your web server to host malicious files that they can call from other servers. They are essentially using your hosting account as a file server.

Leveraging Your Site Traffic

Malicious Redirects

One very common thing attackers do with hacked websites is add redirects to their content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site: the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types.

For example, malicious JavaScript code may be injected into websites which then redirects visitors to pages that host spam and malicious browser plugins.

Defacements

In some cases, the attacker just wants to get their message out. By taking over your website, they are able to reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.

Distributing Malware

One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs malware on your visitors’ computers or devices when they visit your site.

As a site owner, this is especially scary, as not only do you risk having your site flagged as malicious by search engines and other blacklists, but your visitors are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.

Stealing Data

Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use a stolen username and password pairs to try to log in to other sites.

Ransomware

Ransomware is malicious software that an attacker installs on your computer or on your server. They use an exploit to gain access to your system, and then the ransomware executes, usually automatically.

Ransomware encrypts all your files using strong unbreakable encryption. The attackers then ask you to pay them to decrypt your files. Usually, payment is via bitcoin. Bitcoin gives the attackers a way to create an anonymous wallet into which the ransom can be paid.

How to secure your website

Regardless of the size of your website audience or the cost of your hosting plan, criminals will happily find a way to monetize it if they can break in. Luckily, you don’t need to be a security expert to keep your site safe. Use products such as Cloudbric and security plugins such Wordfence (for Wordpress sites) to protect your website.