Mail Order Brides, Pornography & Malware: How Website Hacks Can Hit Your Business
Cyber-attacks don’t just affect large banks and the NHS, they affect smaller businesses, too. Stats vary, but a 2020 UK Government survey of cybercrime against SMEs reported that 46% of respondents had experienced an attempted cyber-attack in that year. Organisations most at risk were mid-sized businesses, large businesses, and high-income charities.
Even though most attempted cyber-attacks don’t result in a breach, cybercrime is clearly something that is common enough to be worried about. And what would happen to your business should a breach occur? Most blogs on the subject focus on the monetary implications of cybercrime – ransomware, identity theft directed at employees and customers, and financial fraud – but cybercrime can also be plain embarrassing.
Two of our own clients recently had their websites hacked in damaging and extremely embarrassing ways, costing time, money, and reputation to resolve. Both are established, small-to-mid-sized professional service companies with an active online customer base.
In both cases, the hacker or hackers managed to breach the business’s website security and replace some or all of their content with dubious third-party material – so-called ‘cuckoo content’.
- Client #1 (a firm of solicitors) was surprised to discover a huge volume of pornographic images and videos posted on their site, replacing the pre-existing contact.
- Client #2 (a document shredding service) found themselves the unwitting host of over 700 articles relating to ‘mail order’ brides and overseas dating. The cuckoo content was sufficient for the company website to rank highly on Google for the evocative keywords ‘Cambodian cupid’ and ‘Ukrainian brides.’
Setting aside the humorous nature (in retrospect, at least) of the hacks, the question remains – why them?
Neither is a particularly large or prominent business or an obvious target for extortion. Both follow standard web security practices common to businesses across the UK, and neither could recall a recent attempt at a breach, or anyone having clicked a phishing email or text.
In these cases, the point of vulnerability wasn’t a weak password, compromised social media account, or email server – it was the business website itself.
Open Source, Open Access
To be clear, JDR did not build or maintain these company websites. They were each built using open-source software (WordPress in one case, Expression Engine in the other) and were hosted using a third-party hosting service.
It was a vulnerability in the open-source code of each website that allowed the hacker to exploit a backdoor entrance into the customer’s browser-based dashboard, from which he or she could manipulate the customer’s content.
Unfortunately, the popularity and strength of open-source software – the fact that the source code is openly available to all developers and is not owned and managed by a proprietary company – is also its greatest Achilles Heel.
A cyber-criminal can access the source code in the same way as an app developer or designer can – and with no centralised oversight and update strategy, there is very little that users can do to close the door to any security loopholes in the software. Malware code can quite easily be written into the source code of a bogus app or plug-in, allowing criminals access to a company’s website.
What is the solution?
Open-source websites are not inherently insecure, but their dependence on community trust and independent developers is a clear weakness in some cases, especially for websites that are not regularly updated with the latest security best practices.
We are increasingly of the opinion that proprietary Software as a Service (SaaS) websites offer better security for businesses than open-source sites. This is because SaaS website vendors (such as HubSpot, Shopify, and Squarespace) use a ‘closed’ and closely guarded code that isn’t open to developers outside of the company. It is far harder for a cyber-criminal to exploit weaknesses in a code that is locked away and regulated under central supervision in this way.
Furthermore, should weaknesses be identified, it is far easier in a SaaS system for the proprietor to identify flaws and take swift remedial reactions to improve security. It’s not that cyber criminals don’t attempt to target SaaS-built websites – they do – simply that proprietary website developers are better placed to stay one step ahead of cyber-attacks with pro-active updates, and to close security loopholes that in open-source software may remain open indefinitely.
Find out more
The risk of a cyber-attack on your business isn’t something you can entirely avoid, but you can take steps to make it more difficult for criminals to target your business – and upgrading to a more secure framework for your website is an important first step.
Image Source: Pexels