Why Would Someone Hack Your Website

by Andrew Barber 17. June 2011 11:01

Many people say to themselves, "I don't need to worry too much about security for my website, because no one would ever want to hack it in the first place." In my opinion, this belief comes from a lack of knowledge of many of the reasons someone might hack a website; Maybe they see reports of big banking websites being targeted, and assume that no one would try to hack their website, because no financial information is ever posted on it.

This list should make it clear that any website at all is a potential target. If your website hasn't been targeted (yet), that's probably just a matter of luck; 'they' simply haven't found your site as of yet. This list is meant as an eye-opener to hopefully impress upon you that website security is important to consider for all websites - even yours!

Stealing User Information

This is one of the biggest, most obviously damaging ones in this day of 'identity theft'. But don't think that just because your website does not store financial information, it is safe. Even the most basic information that the most simple of websites might collect can be surprisingly useful. For example, almost any website that has "users" for any purpose at all will store, at minimum, a user's email address. That, alone, is valuable information to a hacker.

Lists of actively-used e-mail addresses can be sold for a king's ransom. Worse, though; usually unique user names and passwords are also stored. Many people use the same user names and passwords on multiple websites. So stealing your list of users' information could give hackers access to your members' accounts on other websites. It works the other way around, too; information from other websites could be used to gain access to user accounts on yours.

Websites should not store passwords in plain text in the first place, but even lists of password hashes can be very useful. Users should not use the same user names and passwords on multiple websites, but the fact is they do, in extremely high percentages. My own, limited research on this topic suggests 75% of users will use the same user names and passwords on multiple websites. You don't want your website to be the source of revealing this information.

Stealing Server Information

In addition to your users' information, they may be looking for information on your server itself, perhaps to facilitate hacks for other reasons listed below. Your website might store your database user name and password, for instance. Having that information could allow the hacker to more easily add content to the site, steal information, and do other 'bad things'.

Defacing Your Website

If your website has more than 2 users or so, there is bound to be a time when one of them might have cause to want to embarass you by defacing it. Even if your site does not cover any controversial topic whatsoever, its mere existence could offend someone on a much more broad basis. Virtual Eco-Terrorists may decide that your website is one of billions which actively support the Military/Industrial Complex because it sells something or promotes something.

Any website is vulnerable to this, and your website being a small time operation isn't really as much of a help there as you might think; Those who deface your website will make it popular once they do so, by sharing links to it among their peers, in order to boost their "street cred" as hackers. Your site could even end up listed in more 'credible' places as examples of websites which have been cracked (and are to be avoided as a result).

But it should be noted that ultimately, the hackers don't necessarily need any reason to deface your website. Hacking of this sort started off as its own virtue; it's own end-game. Even today, when most hacking has a 'purpose', that purpose may be as simple as being able to add your website to someone's "hacker resume" when they are seeking paid hacking work.

Search Engine Optimization

One of the best ways to improve a website's ranking in searches is to have links to that website's content show up on yet other websites which themselves have some 'value' in related searches. The principle there is that if a website that is highly relevant to a particular search term has a link to another website on it, that other website is probably also highly relevant to that term.

This reason is an extension of 'defacing' your website in a way, but it's more subtle, and with more specific purpose behind it. It doesn't absolutely have to be something related to your website's topic, either. In fact, it is often links to some malicious website that simply tries to harm people's computers in some way, just to generally increase the number of times their website will show up in search results.

Promoting Their Own Product/Service

Or, the links might be completely visible; giving your website viewers the impression that you support that other site. The risk there is that it's easier for you to realize you have been 'hacked', but surprisingly few such attacks are discovered at all. How closely do you monitor your website pages once they are 'up'? If you know you didn't change a web page, do you ever check it again to make sure someone else didn't?

Just as with "Search Engine Optimization", this does not need to be related to your website. It is often links to malicious sites that seek to harm your users' computers and/or sell some fraudulent product or service. They are piggybacking on your website's reputation to promote their own "thing".

Hosting Illegal/Objectionable Content

This is, again, a form of defacement of your website, but is more subtle and with a specific purpose. It can be difficult and expensive to secure hosting for illegal or objectionable content, so many of those who do such things will attempt to use other peoples' websites to host the content directly, instead.

This could greatly increase the cost of your hosting due to large amounts of photo/video content being loaded from it constantly; content you never intended to be there. And you could even end up having your site closed down or worse, you could potentially be subject to criminal or civil liability due to the content someone else put there.

User Mischief

If your website has any social element to it at all (forums, online games, or any other such interactive content), you will inevitably have users who will want to abuse what is available to perform some sort of mischief. It could range from something as simple as posting as another user to embarass them, or 'h

acking' into someone's online game account to steal virtual goods or just harm that user's account in some way.

Sites like Facebook experience untold numbers of this type of thing every single day, but these attacks have been used long before the term "social network" was in vogue. The key here is not to think in terms of "what would be useful to someone to hack", because this type of attack rarely serves any real purpose.

As confusing as it may seem, there are many, many persons on the Internet who simply love to embarass or harm others, and will spend a lot of time and effort to do so, even in supposedly meaningless ways.

Conclusion

Hopefully, I've laid out some good reasons that your website needs to take security seriously. Literally no website in existence - no matter how 'small' or 'simple' - is immune to all of the things I have mentioned.

Again, I'm not trying to induce you to panic here. I simply want you to be aware that there are hackers out there who would love to take over your website, so you should be sure that whoever puts your website together is aware of the threats out there, and takes proactive measures against them. If you are not sure about that, feel free to drop me a line; Website security audits are one of the things I do, as an extension of developing websites to be relatively secure in the first place.

Comments are closed
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent those of my partners, clients or contractors in any way.

© Copyright 2014 AndrewBarber.com