THIS ARTICLE IS FOR EDUCATIONAL PURPOSES ONLY, TO BETTER INFORM DEVELOPERS AND SITE OWNERS REGARDING INTERNET SECURITY, MALWARE, WHAT IT IS, AND HOW TO MITIGATE AGAINST IT. THIS ARTICLE WILL NOT TEACH YOU HOW TO HACK, BUT HOW TO AVOID BEING HACKED & HOW TO IDENTIFY A HACK.
For Plunder and Profit, the internet’s golden age of cyber attacks
In 2019, more than $3.5 Billion dollars were lost to cybercrime Globally, with projections that online fraud alone could cost the e-commerce industry $25 Billion a year by 2024. We’re not in Kansas anymore, over the years, the internet has transformed and grown.
What was a global network in its infancy in 2000, is now a platform that is relied upon by billions of people every day. What started as a gold rush has now become the wild west, complete with cowboys and outlaws from all parts of the globe all trying to get a piece of the pie. Businesses, online e-commerce, social media, the Internet of Things, all rely on this network now to bring revenue streams, communicate with customers, store data, and even operate large parts of businesses autonomously.
Unfortunately, the more intricate and expansive web infrastructure becomes, the more holes and malicious opportunities arise for those who want to use and abuse the internet in more sinister ways.
The aim of most cybercriminals and cybercriminal syndicates is quite simple, to profit off their exploits, and usually in a way where complexity and effort involved, scales to their projected payout. This is done via a number of ways. hacking a website and stealing credit card information & personal information, then selling that data online is a prime goal for many cybercriminals. Other hackers may infect your website with malware, that puts links to other websites for Black Hat SEO purposes, to either bolster a person’s Google Rankings, or to tank your website ranking, and destroy your online presence through linking adult websites, spam sites and more.
There are also more intricate hacks like botnet malware. Botnets are networks of servers or computers, infected with malware that can ‘call home’ (usually back to a proxied IP or Dynamic DNS) to perform many different malicious attacks at scale. Botnets are notorious for things like DDoS (Distributed Denial of Service) Attack networks, which overload a server’s ability to receive and serve HTTP requests, essentially taking down the server. Botnets have also been used for things like bitcoin mining, using up server resources to make the hacker a profit off the processing required to mine bitcoins, leaving the owner of the server with the electricity and bandwidth bill.
the attack vector. Hitting servers with a direction and velocity.
Hackers normally target weak websites, as it is much easier to deface and breach such sites, especially at scale. Most attacks are carried out autonomously, bots programmed to look for certain exploits in theme code, plugin code or even framework code. This is normally done through a method called Google Dorking. Google Dorking is using Google’s Search Query Engine to pinpoint websites that are susceptible to the hackers’ chosen attack vectors. For instance, this dork shows all insecure files indexed on the internet where a MySQL Database password is leaked.
"MYSQL_ROOT_PASSWORD:" ext:env OR ext:yml -git
The nature of this dork makes a Google query with these features:
"MYSQL_ROOT_PASSWORD:" - string is surrounded in quotes, tells google to match this exact string in the web page/file
ext:env OR ext:yml - the webpage / file has an extension/type of .env OR .yml
Hackers create the most creative yet scary formulas to find exploits in all websites/files/code that have been indexed, and most things on the internet are indexed by Google thanks to their platform’s overwhelming success.
so long, and thanks for all the phish
Hackers may also use phishing, but it’s not as prevalent these days in wide-scale attacks performed by professionals. Email phishing is still alive and kicking no doubt, but people are more aware of email scams these days, clicking bad links and attachments. Most large scale phishing attacks are performed by amateur hackers and ‘script kiddies’.
spearphishing: phishing with a target and using advanced social engineering
Spearphishing, however, is an attack vector that’s more so used by professionals and more intricate hacks. Spearphishing is in the realm of social engineering and works by creating phishing sites and emails that match the victim’s habits online and may even include their personal info or account details to seem more legitimate. For example, a hacker might want access to a large companies database, log in details, to steal data or plant malware.
For them to spearphish and breach the business, they must find a weak vector. Let’s say the hacker finds someone who works at the business, and they have a LinkedIn profile, or facebook profile that states publicly where they currently work, its more than likely the hacker can find more than enough information, as well as a contact email address, to concoct a believable story ( professional social engineers also use urgency and distractions in their attack, to get the victim off guard).
Now here’s the crazy bit, they may not contact the victim directly via email, or phone, they could also research deeper into that person and find a product or service they use, family or friend to spoof, and target them instead. They then call up, or email, using the victim’s details they have collected, to reset a password, or gain security question info.
Thanks to the nature of humans, people like to reuse passwords, or give out sensitive information, if they’re lead into it the right way, they don’t even have to be the owner of the sensitive information to give it away.
Spearphishing only really works on single targets and takes the hacker a lot of time, effort, skill & co-ordination to research and find the best way to attack the target.
cyberthreats you will face, and the damage they do.
The main kind of security threat most people will come across, and also need to defend against, are large scale automated attacks. Luckily, these can be mitigated with a firewall and an auto throttling feature for your server if there’s too many requests in the small amount of time by a specific IP or browser fingerprint.
Hackers want access and control over your site for these main reasons:
- To deface or ruin your website ( for fun or profit )
- for spam projects like mass emailing and black hat linking
- to embed malware such as Trojans as well as spyware (for profit)
- to carry out Distributed Denial of Service (DDoS) attacks
How do you know your website has been hacked?
- Your website is ruined or vandalized
- Google shows warnings regarding your website to users and also on the Google Search Console
- Your hosting company has suspended your site
- Web browsers have actually blacklisted your web site
- Your internet site loading rate had slowed drastically
- Your site is sending out e-mails by itself
- Your site visitors are being redirected to illegitimate/questionable/inappropriate internet sites
- You observe dubious documents, folders, and also code changes on your site
What does a website Hack/Malware normally look like? and how can I find it?
Proficient hackers want their malware to stay on the infected website for as long as possible. To do this, they need to make it undetectable or very quiet. Malware is normally injected into a single file initially, then the code intitializes itself in the infected file, either through a code hook on the website or if the infected code is called.
This initial code is referred to as the ‘Payload’ and is usually obfuscated by an encoded string, the most common one used is base64, but a hacker could use a variety of encoding methods such as URL encoding, ISO, Hexadecimal, decimal or even bit stuffed binary. Some hackers even implement recursive encoding (eg. encoding their payload as a URL, then encoding it as base64) to make sure their code isn’t picked up by a malware scanner.
Heres what a Base64 encoded malware payload could look like:
$theme_module_loader = eval(base64_decode(‘aGFoYWggdGhpcyBpc250IGEgcmVhbCBtYWx3YXJlIHBheWxvYWQsIHRoYXQgd291bGQgYmUgaGVsbGEgaXJyZXNwb25zaWJsZSA7KQ==’));
Luckily this can be easily searched and found in all server files by looking for “base64_decode”, or by using a regular expression to match any base64 encoded strings, in case the hacker has obfuscated his code well. The regex is as follows:
How can i best protect my website from hacks and malware?
Even though you can now easily search and find malicious payloads, if the payload has been executed, we may not be out of the woods yet. Most malware is designed with ‘worm’ like features, so it can self-propagate in every file it can.
The propagated aliases may or may not be encoded, so searching for them becomes a lot harder. I highly recommend setting up a file watchdog on your server, to track file and code changes and alert you to potential malware breaches. Wordfence is an excellent plugin for many websites that need total malware protection, With cybercrime becoming more and more prevalent, it’s important to keep your sensitive data secure and your website hack free.
Use a firewall, throttle (or even blacklist) spammy requests, keep your themes and plugins up to date & make sure to scan regularly for unauthorized file changes.