Why Do Hackers Hack?

Date aired: July 23, 2019

Join us as we we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.

Picture of Joshua Hammer

Joshua Hammer

Senior Sales Operations Manager

Josh is managing the sales consultant team for Sucuri. When he is not reading about the newest hacks or delving into website security, he is at home playing board games with his family or video games with friends.

Questions & Answers

Question #1 – My website was copied 1:1 a few times and I received many backlinks from my copied website to my original one. Is there any effective way to block scraping website content and images?

Answer – You can put in blocks to prevent people from right clicking and copying. Unfortunately that doesn’t prevent everything because developer tools I can hitF12 and copy. The vast majority are bots and a firewall will prevent that. I am biased, but the Sucuri firewall is the best or use another one to prevent bad bots and that will be reduced drastically. Like most humans, hackers are lazy, if you make it a little bit harder they’re not going to waste their time on you and find someone else easier to get to.

Question #2 – Is there a way to keep our websites away from those random attacks, scan bots, etc? block by agent id?

Answer – Absolutely. I’ll point to a firewall again because a firewall is going to be your best bet but really make sure your sites are up to date. Each of those updates are security updates. They just told the world by the way, that on this outdated version there’s this exploit. And this is how you attack it, So if you don’t keep your — up to date there’s this dictionary of all the exploits. Now if you have 3 sites and any one is exploited/out of date, then ALL of your sites are at risk because of cross-site contamination. Even if it’s a site you don’t use or forgot about, your main site is just as vulnerable because it’s a part of the hosting environment. 

Question #3 – What is the advantage of having a firewall on your website?

Answer – For one, a firewall is going to be able to block a lot of the bots. So a lot of the automated attacks are going to be denied just by having it. Secondly, it prevents your site from being hit. Maybe you couldn’t update your site on day one, you’ve got to test it or you have plugins that need to be changed, a new security update, a good firewall will prevent attacks of known exploits via virtually patch. To the rest of the world your site will look up to date but the firewall is blocking those updates.

Question #4 – You mention that everyone is fair game and there are very little targeted hacks so what can I do to protect myself?

Answer – Keep things up to date for one. Out-dated software is the biggest cause of infection. This includes all sites on the hosting plan if you have a site that is out of date it can infect other sites. A firewall is another way of protecting it (of course we offer the best one out there 😉 )

Question #5 – Doesn’t my hosting protect me?

Answer – In most cases, no. The hosting is designed to protect its servers. Every host has a firewall but it’s not there to protect your site. Hosting is designed to display your site to everyone. It’s not into blocking . And it depends – you get what you pay for, Security is trying to block the bad actors, the bots, attackers. Hosting and security kind of go against each other. You have to find the fine balance. Our main motivation is to keep you secure. 

Question #6 – What about Bug bounty programs? The ethical hacker. 

Answer – That is basically a white hat hackers finding the bugs…you go in and find the bug. You don’t do anything with it. You just find the opening and you give that to the company and the company will pay for it. We used to do it. It was a program that depreciated. But we might have it again when there are new iterations to the firewall. HackerOne is a website that offers a lot of bug bounties.

Question #7 – How much cost is stolen data ie: names, addresses, ID, credit cards? 

Answer – That’s variable, It will cost you more in reputation than actual money, Remember the 2017 Equifax bureau hacked fined 700 million dollars. But it comes down to $4 per person. Not a lot of money but it does hurt the reputation. For your site selling a good or product that others sell so rep can do a lot of damage.

Question #8 – How about SEO hacking?

Answer – Yes, keep up to date and have a good firewall. Reduce the number of plugins. If you want to be really security conscience, separate the sites, functional isolation. If you have a hosting account, have one website, use the same company if you want for the second website but it under a different hosting account. They’re their own buckets. Then you’re securing one room. 

Question #9 – Is there compliance with making a secure website?

Answer – There’s PCI compliance, which is a credit card industry compliance. They are moving more towards more of a compliance with GDPR. It’s not per say a security compliant, It’s a data compliance on how data is stored, but no.

See all Questions & Answers

Expand

Transcript

Joshua Hammer: My name’s Joshua Hammer. I’m a sales operations manager here. A little bit about me. Oh, look at that. It’s Hackerman. What about him? He’s awesome, right? And he can hack time and space. If he hacked you, you’d never find him. And we’re all a bunch of noobs compared to him, so. Honestly though, let’s see. My name’s Joshua. I’ve been with Sucuri here for four years. I’m a sales operation manager, I’m married to a beautiful wife with two wonderful daughters and I love games, video games, board games, security, and laughing. I like to have fun.

Joshua Hammer: So what are we going to do? We’re going to go over a little about who these guys are, what they do, whether they’re targeted hacks versus what are random hacks, what SEO attacks are, and of course the ever popular question, why me? Really though, one of the things that hackers are going after is, well, they want their name out there. They want that fame, right? Or we always see these wonderful hacked pages that says hacked by and they give you the group name or hacked by this individual. It’s because they’re trying to get their name out there with the other groups that are out there and they want that rep with their team.

Joshua Hammer: So, want to talk a little bit about random versus targeted attacks before we get into more about why they’re attacking, but most of the attacks that happen out there are random. They’re completely automated, script based, bot attacks that target the weakest link and move on. Not to say that there aren’t targeted attacks out there. There are definitely targeted attacks. They’re just not as common as the random attacks out there. Some of the targeted attacks you’ll find are politically motivated attacks. These are ones that they’re trying to spread the word. They’re hacktivists. They want to get their message out there and so they’ll target different sites. You see a lot of that in the US around election time, right? It’s always talking about how Russia has targeted our systems, and take aim at our midterms, and our primaries, and our president one because of the hackers and that kind of stuff. I’m not saying it doesn’t happen. It definitely happens out there, but whether or not it plays a big role, don’t know.

Joshua Hammer: Maybe you made somebody mad and that’s why they targeted you. There was a hack a few years ago on an epilepsy site. I’ve got a link to the news article on the slide there, but basically this site where all these people go to that have epilepsy for help on how to manage the symptoms and the problems. And somebody hacked the site and changed the frequency of the display to cause epileptic seizures. Great people, right? Apparently somebody they knew had epilepsy, made them mad and they thought that was the best revenge, is to hack an epilepsy site and cause seizures for all the people that were visiting the site. Fantastic. But the primary motivation and the most popular motivation is of course money. That’s what people want, is they want to earn money via these hacks.

Joshua Hammer: When we talk about money, we’re talking about SEO hacks and these are hackers that go out there and they will push up SEO rankings of sites, but they do it in an illegal manner by hacking other sites and putting links to the site over to this site. We call it black hat SEO. You’ll see a bunch of blog posts about it, but it’s really basically search engine optimization hacking. You’re hacking other sites to help boost an individual site. You’ve got data theft, of course. Everybody talks about data theft. Things such as email addresses can sell for big money on the black market because companies use these email addresses to spam out there and get the information, usernames, passwords, all that kind of stuff. It’s sold, so it’s all money in the bank.

Joshua Hammer: Credit card scraping, big one coming up here with the holidays in December. In November, credit card scraping becomes very popular. They pull the credit card information, email it to a dummy email account, and pull that information from that email account, and sell those credit card numbers out there. Another thing that we’ve seen done with credit card scraping is they’ll hide the credit card information right in an image. I thought that one was amazing. If you looked at the code on the image on the website, it had all the credit card numbers right there on the image. Anybody could grab it if they just knew to look at the code behind the image, but credit card scraping will make money. So that’s another reason to hack.

Joshua Hammer: Redirect links perhaps sending you to a different website, so you get a referral bonus for sending so many people to this website. Well, rather than actually building a page that refers people over to this website, why not just hack a site and anybody who comes to that site gets referred over? I remember once in chat, I came across a redirect link issue. A person who did children parties and he was a clown, his site was redirecting to porn, so not a great thing for them. Hurt his reputation, but in the end the hacker makes money off of it.

Joshua Hammer: Advertising spam, wonderful popups. We all love the popups that come up every once in a while when we’re cruising the net and you come to an infected site and you get like 300 different advertising popups, it starts yelling at you. Really a popular hack. And cryptocurrency mining, and what I mean by that is Bitcoin and those other kind of things. Recently, it’s become harder to mine for cryptocurrency. Companies are actually not making money. The cost of the electricity and the machines and everything costs more than what you find with cryptocurrency. Well, I can cut that cost. If I started to start using your hosting server and your, basically, processing power to mine the currency, then I’m not paying those costs. Instead, I’m getting it for free, so I can mine that currency and make some money.

Joshua Hammer: Really, most of these attacks though are completely automated, right, because for me to sit here and to hack a site, it’s going to take me a lot of time. And let’s face it, to hack one site, it’s going to take a lot of time. I may be able to do it, I may not, it depends. For me to write a script that goes out to the internet and scans thousands upon thousands upon thousands of sites and goes, okay, these 300 sites are out of date and they all have the same vulnerability, that’s going to take me a few minutes. Right? So now I’ve got thousands of sites with a vulnerability and a lot of these sites, to be honest, the vulnerability are known issues and there’s already programs that we can download that infect those known issues.

Joshua Hammer: So then the hacker doesn’t even have to know what they’re doing. They just execute a program and in the program they give them a list of all these sites that have the known issues and the program starts infecting the sites for them. So now they’ve got all these sites, it makes it real easy, and that’s why automated is the big thing. So why me? Why do you pick me out of everybody? Well, it’s not targeted. It’s that random effect. It just so happens that you were the weakest link, you were the low hanging fruit, and congratulations, you got hacked. I want to say Google blacklists something like 18,000 sites or something like that a day. It’s an an unreal number of sites that they blacklist and there are only blacklisting a percentage of the sites that have malware out there and it’s a low percentage of what they’re actually blacklisting.

Joshua Hammer: So the number of sites that get hacked a day is astronomical. It’s unreal. And so, basically if you were hacked, it was because you were low hanging fruit. Chances are you didn’t really make somebody mad, you just got lucky and one of those programs they wrote, you got scanned and it pulled, which is fantastic, right? That’s all what we want to hear. I was lucky, I won the lottery. Yes. But unfortunately, it wasn’t a good lottery. It was a lottery of being hacked.

Joshua Hammer: So what can we do to prevent this? Make it harder for them. There was a post that Tony did a long time ago and, we probably should redo this post, but he talks about the difference between security and ease of use. And he says that the two definitely don’t go hand-in-hand. If you talk to me about two factor authentication, I use it on everything. I hate two factor authentication with a passion because I hate having to have my phone wherever I go. But it’s a level of security that makes it a little bit harder for me to use. So you’ve got to find that balance of what are you willing to do versus what will secure the site. And by making it just a little bit harder for the, oh lovely. Making it a little bit harder for the end user can make your site a whole bunch more secure.

Joshua Hammer: So with that, I know it was a short series, but I want to hear from you. What kind of questions, comments, concerns, or wisecracks do you have?

Speaker 2: Speaking of wisecracks, you didn’t bring out your mask?

Joshua Hammer: I didn’t bring out my mask.

Speaker 2: Oh, that’s okay. Okay. We have actually a few, let’s see here. Oh, in the chat was the, that probably you kind of saw that come through, is about bug bounty programs. [crosstalk 00:10:36]

Joshua Hammer: Bug bounty programs are fantastic. So yeah, those are the white hat hackers basically finding the bugs out there. Many companies do bug bounties and where you go in, you hack in, you find the bug, you don’t do anything with it. You just find the opening and you give that to the company and the company will pay for it. A lot of companies do that. I know we used to do it. I don’t know if we still are though, to be honest with you. It was a program that I think got depreciated at some point. Doesn’t mean we won’t be back with new iterations when we put up new changes to the firewall, but yeah, HackerOne I think is the name of a website that offers a lot of bug bounties.

Speaker 2: Okay, cool. Good to know. The Ethical Hackers, huh?

Joshua Hammer: Yes.

Speaker 2: We also have Tomas, I believe it is, saying his website was copied a few times and he received many back links from the copied website to his original one. And is there an effective way to block scraping website content and images?

Joshua Hammer: So that’s a hard one. We had somebody in chat not too long ago that was talking about the same thing and you can put in blocks to prevent people from right clicking and copying. Unfortunately, that doesn’t prevent everything because developer tools, I can just hit f12 and and I didn’t right click, but I can still copy all the code there, which is great. Right? But the vast majority of the things that are doing that are bots. So a good firewall that’s in place that blocks those bots will prevent most of those kinds of issues. Of course, I’m bias. I’m going to tell you that the Sucuri Firewall is one of the best because, well, it is and because, well, I’m biased. But if you’re not using ours, use another firewall that prevents bad bots and you’ll see that that will be reduced drastically. Because for the most part, just like many humans, hackers are lazy and if you make it a little bit harder for them, they’re not going to waste their time on you. They’re going to go and find somebody else that’s easier to get to.

Speaker 2: Definitely makes sense. Perfect. Let’s see. Love that, well, you opened up, you said biased.

Joshua Hammer: Yeah, no, I’m definitely biased. I work here, but I’ll be honest, I do competitor shopping in those kinds of things too and I still think we’re the best.

Speaker 2: They can do that. Do some competitive shopping and see.

Joshua Hammer: Absolutely. I noticed in chat, we’ve got another one from Raphael. Is there a way to keep our websites away from those random attacks, scans, bots, et cetera, blocked by agent Id? Absolutely. I’ll point to a firewall again because the firewall is going to be your best bet, but really make sure your sites are up-to-date. A large number of sites that get attacked are ones that are out of date, and the reason that is, is because each of those updates are security updates, right? Well, when they tell you, hey, this is what’s changing in the site, we’ve done a security update to prevent this exploit, what they basically told the world is, by the way, on this outdated version, there’s an exploit and here’s the exploit and this is how you attack it, right?

Joshua Hammer: So if you don’t keep your stuff up-to-date, basically there’s a dictionary of all these exploits that are out there that can now be used or exploited. The main thing I’m going to tell you there is if you have three sites under your hosting account, if any one of those three sites is out of date, than all of your sites are at risk because of cross-site contamination. You may have a site on there you forgot about and it gets attacked. Well, now your good site that you’ve been spending all of your time and money on, it’s just as vulnerable because they’re already in the hosting environment.

Speaker 2: Do you see Lawrence in there? Was that another one?

Joshua Hammer: What is the advantage of having a firewall on your website? Well, for one, a firewall is going to be able to block a lot of the bots, so a lot of the automated attacks are going to be denied just by having that firewall. Another thing is it’s going to help prevent your site from being hit because maybe you couldn’t update your site on day one, you’ve got to test it and you’ve got plugins that may need to be updated or changed with the new security update. A firewall, or at least a good firewall, is going to prevent attacks from those known exploits because it’ll virtually patch your site. So to the rest of the world, your site will look up-to-date and when they go through the firewall and they try to exploit one of those outdated things, it won’t be able to do it because the firewall is going to block it for you.

Speaker 2: Beautiful. Warren, I think, hopefully we answered your questions because you had a few. SEO hacking, you see that?

Joshua Hammer: Yup. Same thing. Keep your sites up-to-date and, well, put up a good firewall. Those are going to be the the answers to most of how to prevent that. Keep your site up-to-date, put up a good firewall, reduce the number of plugins. If you want to get really security conscience, start separating your sites. Functional isolation. So if you’ve got a hosting account on that hosting account, you should have one website, right? And then if you want a second website, you should put them under. You can use the same company, just a different hosting account, because now they’re their own buckets. So rather than trying to secure an entire house, you’re securing one room and that makes it a lot easier.

Speaker 2: I also see, speaking of hosting, is it, what do you think on hosting? Do they really protect you? Some people are asking that.

Joshua Hammer: It depends on the host, right? So there’s an old saying in sales, nothing cheap is good and nothing good is cheap and you get what you pay for, don’t you? So if you’re paying for $5.00 hosting, right? How much security do you expect to get for five bucks? Probably not a lot. If you’re paying 30 or $40 and they include security in there, well, you’re probably going to get a lot more. But hosting is designed to display your site, right? It’s designed to get your site out there, show it to everybody. Don’t block anybody. Get it out there. Security is the opposite, right? We’re trying to block the bad actors from accessing the site. We’re blocking the bots, we’re blocking the attackers. Hosting and security kind of go against each other. Like I said, you’ve got to find that fine balance. Where do you want to be? So with a security company, our main motivation is to secure your site. Yeah. We want your site to be visible, but more importantly, we want it to be secure.

Speaker 2: Yes, you’re right, Warren.

Joshua Hammer: SEO hacking, user management, passwords. Yeah, password things are fantastic. Definitely don’t use one, two, three, four, five, or password, or all the others. I think, what, it’s love and God are popular passwords too. Fantastic.

Speaker 2: Really?

Joshua Hammer: I personally use LastPass as a password manager. I love it. I’ll tell you all, that if you’re using a password manager, they’re the best things in the world, except for people who don’t use them, then they hate you because you know, hey, would you log into your Netflix for me? And you got to pull it up and you look at, oh, my password is, a, ampersand, two, three, one, five, w, one and they’re going, what the heck is all that? Well, it’s LastPass, so thanks.

Speaker 2: I love making them all complicated. I used to make it super easy before I worked here. It was like one, whatever the name was, two. Not now.

Joshua Hammer: Now you feel like slapping your old self, don’t you?

Speaker 2: Okay.

Joshua Hammer: How much cost debt is stolen from a website like names, addresses, ID, emails, credit cards? Well, that’s really variable. It’ll cost you more in reputation than actual money. I was talking about this earlier today. We had, if anybody remembers, in 2017 the credit bureaus in the US were hacked, Equifax. They were just fined $700 million for that hack. So that’s a lot of money. Right? Well, guess what? That comes down to about $4 per person of data that was stolen. So that’s not a lot of money, but what it does hurt is the reputation. Now the credit bureaus, nobody has a choice but to use them, so it’s not going to hurt them in the long run. But for your site, you’re probably selling a good or a product that other people are selling as well. And that reputation can do a lot of damage.

Joshua Hammer: Love LastPass. I do love LastPass.

Speaker 2: You’re catching up, yeah. So let’s see. Okay. Yeah. The comments of how much it really is costing on-

Joshua Hammer: As their compliance with making a secure website? Well, there’s PCI compliance, which is the credit card industry compliance. But no, there’s no standard that says this is a secure site, this isn’t a secure site. That would be fantastic. Right? They’re moving towards more of a compliance with the GDPR, but even that is not per se a security compliance, just a data compliance set of how the data is stored.

Speaker 2: Okay. Thinking, did we get everything in chat? I saw a little bit on the, it was pretty similar though, I think of a question. So, I think we got everything. It was mentioned before, everything is fair game and that kind of thing. How you-

See Full Transcript

Expand

Similar Past Webinars

In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.

Resources

Picture of presenter of Upcoming – Logs: Understanding Them to Better Manage Your  WordPress Site

Webinar – Upcoming – Logs: Understanding Them to Better Manage Your WordPress Site

In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.

Picture of presenter of Personal Online Privacy

Webinar – Personal Online Privacy

In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.

Picture of presenter of Why Do Hackers Hack?

Webinar – Why Do Hackers Hack?

Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.

Picture of presenter of WAF (Firewall) and CDN Feature Benefit Guide

Webinar – WAF (Firewall) and CDN Feature Benefit Guide

A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..

Picture of presenter of Preventing Cross-Site Contamination for Beginners

Webinar – Preventing Cross-Site Contamination for Beginners

Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..

Picture of presenter of Getting Started with Sucuri!

Webinar – Getting Started with Sucuri!

If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..

Picture of presenter of How to Account for Security with Customer Projects

Webinar – How to Account for Security with Customer Projects

Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..

Picture of presenter of Is SSL Enough to Secure Your Website?

Webinar – Is SSL Enough to Secure Your Website?

It's a move we've seen coming since early 2017. Chrome HTTP sites are now officially being marked as 'not secure'. With Chrome dominating 62.85% of the browser market space as of last month means that even small changes can have a big impact on website owners if ignored…..

Picture of presenter of FireChat: Reactive and Proactive Protection for Web Agencies

Webinar – FireChat: Reactive and Proactive Protection for Web Agencies

In this fire chat, we're looking to find answers to some of the questions web agencies have been asking us for years, in hopes of shedding more light into how you, as an agency, need to respond to security threats your customers face…..

Picture of presenter of Security for Web Agencies

Webinar – Security for Web Agencies

Website security is challenging, especially with a large network of sites. We want to help you understand how you can create a security plan and reduce the risk of a hack or security incident. In this session Dana covers the implications of a security breach and why security should be important to your agency. Dana shows you a tiered approach to we….