Many companies, including leading corporations and financial institutions, think that a website is just a “webpage” in the middle of nowhere, without much value for them or for the hackers. They think that a hacked website can be quickly and easily repaired, and nobody will ever remember the incident. They are seriously wrong.
Many people think that if their website is not an e-banking application or e-commerce platform, hackers have nothing to steal. In reality, to a hacker your website is a gold mine. Imagine that your company has valuable data (for example financial records) stored locally in your corporate network. One of the first attack vectors hackers will use to extract the data will be your website.
Hackers will carefully profile your employees who may have access to the data (such as accounting, legal or the financial department) on social networks. Using public information about their targets, they will craft a trustworthy email or LinkedIn message.
The email will come from one of their old connections, asking something directly related to your business and will contain a hyperlink to your own website. The hyperlink will have legitimate structure, similar to all other links you have on your website, and it will even be an HTTPS link if your website works over SSL. But as soon as your employee clicks on the link, an exploit will trigger and compromise the victim’s machine. Does your intrusion-prevention system analyze traffic for exploit payloads and other attack patterns? Did you think to intercept SSL traffic as well? No? Then your network IPS won’t really help.
But even if you did think of that, hackers have many simple and efficient obfuscation techniques to combine with zero-day exploits. It’s just a question of time and money to compromise any of your local machines. Once compromised, a sophisticated backdoor will be installed on the victim’s PC, and hackers will extract all the data they need via the hacked machine.
Did you think about security awareness and training for your employees, as well as about blocking access to suspicious and phishing websites? Good. However, I doubt that you blacklisted your own website and instructed your employees not to trust your corporate website.
We recently saw a case where a large legal company in Central Europe was hacked and compromised with an unusual data-extraction technique used by intruders. No employees could access any external website except the corporate one, and hackers were uploading all stolen data to their own website and downloading it after. This happened simply because nobody cared about their own website security, thinking that it’s the last point to think about in corporate security.
So, your website security may compromise the entire company, even if you haven’t a single byte of confidential information on it. One single web vulnerability may cross out all your cybersecurity investments. Today, the most sophisticated APTs start with an unsecure web application.
Website compromise is also an El Dorado for phishers and other cyber criminals. Once they get your website source codes, they can send the same emails or other type of internal notifications as your CMS does. Will you trust an email looking like Visa email? No. Will you trust an email that is an exact copy of your bank’s email? You will at least consider reading it. And if hackers get access to your website, they will have all of your customers’ details that you usually include in emails, which will increase those emails’ credibility.
Finally, if hackers have access to your website, they will probably be able to send legitimate emails from your email server directly – that will bypass all spam and phishing filters, which would be different from emails coming from free, type-squatted or fake domains. What will happen next? The consequences are limited only by hackers’ creativity and imagination.
All your customers may get an email from your company asking to make a test financial transaction to a “test account” in order to validate that your new payment system works well. They will feel confident as the amount will be pretty small and the email will promise to reimburse it within the next 24 hours. Obviously, later nobody will be able to cancel this test payment, leaving your customers without money at the end of the day.
More sophisticated criminals will use your website and its databases to compromise as many of your customers as they can (again by hosting malware on your website) and backdoor them. Once they will have control over a majority of your customers’ computers and mobile devices they can do whatever they want, up to emptying all their accounts using a sophisticated banking Trojan.
What will happen next? You will lose your customers, seriously damage your business reputation, face numerous lawsuits and become a media star of the week. Social networks will bubble with mockery around your company. The worst is that you can never know how long the incidents involving your customers’ data will last. Once one hacking team has used your database, they will sell it to another gang with a discount, who will resell it or exchange it for another good on the Black Market, and so on, without an end. The cost of a compromised website is endless targeted attacks against your customers with all the related consequences.
You still think you have no confidential information to steal, being an NGO or a company without something valuable for hackers? Cybercriminals will still come, as it’s a great strategy to host malware on your website and compromise others (like your organization’s bank). Your reputation will suffer for a while, especially today when media can’t get enough of data breach scandals. At the same time many infosec vendors will include your company case study in their sales brochures as an example of a highly-sophisticated APT, and will successfully sell their solutions.
Last, but not least, are you ready to waste all your digital marketing budget? Once your website will be infected with malware, search engines and browsers will quickly add it to their black lists. And when opening your website, visitors will see a message that it is dangerous and shall be avoided. However you will still be paying for clicks coming from SEO, ads networks and marketing campaigns.
If you’re not happy to serve as an APT case study, secure your website right now.
This article is published as part of the IDG Contributor Network. Want to Join?