There’s been a 32 percent increase in hacked sites from 2015 to 2016, with no expectations of the trend slowing down, according to Google.
Why are sites getting hacked? Attackers may hack websites in order to steal information from unsuspecting visitors, or to deliver malware payloads that infect users’ computers (also know as drive-by attacks).
These attacks can leverage exploit kits or vulnerabilities that check users’ devices for out-of-date software and operating systems - then compromise them if they’re found susceptible. Or, they may hack websites to redirect traffic to a malicious domain. Or, spammers may hack websites, seeking to use the domain to send spam or steal user contact information, like email addresses.
How Websites Get Hacked
Google provided a few useful resources for site owners, including information on the top ways that websites get hacked by spammers. Those include:
Compromised Passwords - Password-guessing or brute-force tools are used to automate attacks against logins. To protect against a password attack, implement two-factor authentication to provide another layer of security that requires physical possession of your personal device in order to verify your identity. That way, an attacker can’t log into your accounts using only a stolen or brute-forced password.
Missing Security Updates - As mentioned above, out-of-date versions of software can open up users to an exploit - the same goes for websites. Regularly checking and patching web server software, content management systems and all website plugins/add-ons/themes with the latest updates can protect your website against known vulnerabilities.
Set up automatic updates wherever possible. With Duo Access, you can check every device that logs into your applications for secure, up-to-date software, enabled security settings and more. Plus, you can create custom device access policies to restrict access to your applications from risky devices.
Social Engineering/Phishing - These attacks trick users into providing confidential information, such passwords. A phishing email sent by what would appear as a credible or familiar source is a form of social engineering. Typically, the email will contain links to spoofed sites or login forms, or ask for confidential information. Test your organization’s resiliency and risk of a phish by conducting an internal phishing simulation.
Strong Security Policies - Google states that poor security policies can lead to a compromise of your website. As a system or website administrator, it’s important to enforce strong passwords for users, limit administrative access, enable HTTPs, etc.
Hacked Websites in the News
Most recently, the website of the UK’s largest travel association was hacked after attackers gained unauthorized access to the site using a web server vulnerability - their web servers are managed through a third-party web developer and hosting company. Around 43,000 individuals may be affected, with personal information accessed, according to ZDNet.com.
KrebsonSecurity.com also reported that Google’s “This site may be hacked” warning may indicate that a certain restaurant conglomerate company’s website was compromised, pointing to the source of a large credit card breach that resulted in fraudulent use of customer’s cards used at high-end restaurants across the country.
Check out Google’s WebMaster’s Guide for more on different ways websites get hacked and security tips.