Cyber attacks on websites jumped 32 percent in 2016 compared to 2015 according to Google’s latest website security report.
But the bad news gets worse.
Google predicts the growth in the number of hacked sites is going to become a trend. Their experts are willing to bet that percentage will grow every year.
Why?
Hackers spend their time aggressively searching for every possible vulnerability in a site. As websites are updated, hackers step up their own game.
They’re effectively playing a long game of cat and mouse with your business.
So in light of this news and in case you haven’t read up on hacking and internet threats in a while, here’s a quick primer to help you understand Google’s report:
The Most Common Hacks
“Hacking” is a general term so over-used it is effectively meaningless.
In this case, a hack is an attack, but it is not a single kind of attack.
According to Google, hacked sites might be a website afflicted with user-generated spam. Cloaked images, keyword stuff, redirects, or poisonous links also throw a website into the category of hacked sites.
Essentially, Google looks for anything spammy about a site and puts it on a watch list.
This stuff may sound benign to the average person, but it isn’t.
It’s akin to cancer for your code.
For example, you’ve spotted the gibberish hack when you come upon a page filled with nonsensical words and phrases – normally keywords to boost the site on Google’s search ranking.
Google also lists the cloaked keywords hack as a prominent method.
This hack is more difficult to spot because the pages sometimes look like the original template. But, if you look closely, you can see words, images, or links that don’t belong.
In both cases, the unwanted content is hiding something malicious.
When you try to visit the page, the link redirects somewhere else. Often a pornography site, but sometimes more nefarious pages.
Why Have They Come for YOU?
Hackers have various motives when they go after websites.
While we can’t pretend to be in the minds of the anonymous attackers hiding behind their keyboards, some motivations are easy to discern.
If your site is privy to sensitive customer information, it holds valuable data for attackers. Credit card numbers, PII, and passwords are a mighty bounty for hackers.
Hacktivism is often spurred by political motives. Depending on your site, you might be hacked to send a social or political message.
Example: the Ashley Madison hacks in 2015 were the work of vigilantes.
Your business or website may not provide a platform for people to cheat on their spouses. But generally speaking, most businesses have enemies, even if those enemies are simply anarchists or anti-capitalists looking to take down the whole system.
Deploying malware is another common goal of hacking. By breaking into your website, the hacker can spread malware, which can mutate and spread further to achieve whatever aim was programmed into it.
The most concerning hacker incentive is fun. Some hackers simply want to vandalize your site because they can. There is no other reason. These hackers are hard to predict, which means you must be vigilant.
Mounting a Defense
You can’t prevent attacks, but you can prevent their success.
Google and any security company worth their weight in salt advocates taking preventative measures in securing your site.
Identifying vulnerabilities on your website is essential for closing the gaps and eliminating the holes hackers use to take over your site.
Google also recommends paying attention to announcements and updates provided by software and hardware vendors and any Content Management Systems.
Those updates often provide fixes for any backdoors identified by their own security teams.
You can also run a vulnerability scan on your site for a more thorough screening.
A vulnerability scan is not an antivirus scan. While antivirus looks for viruses and malware only, vulnerability scans cast the net wider while simultaneously diving deeper.
These scans will tell you about:
- Weak passwords
- Permissive coding (which lets hackers in)
- Out of date software
- Viruses hiding in admin system
When you can identify your website’s weaknesses, you’re better able to build up your defenses precisely where they’re needed.
Checking for Domain Name System (DNS) threats is also important and DNS monitoring is essential. As we told you in a previous post, DNS attacks have increased by more than 200%.
A good website monitoring service is also helpful. Website monitoring checks up on your site more often than you ever could (every 2 minutes from different locations) to make sure your site is up and running.
Having a site monitoring system in place is an effective preventative tool because if your site goes down, you’ll know immediately. No need to wait until you’re flooded with emails concerned.
Register Your Site with Google’s Search Console
Google isn’t able to warn every customer about their hacked sites. Google’s report noted “61% of webmasters who were hacked never received a notification from Google.”
Google isn’t doing this to be the bad guy – they rely on webmasters to verify their sites through Search Console to better be able to get in touch with them.
Registering your site with the Google Search Console is a simple and effective security measure with tangible benefits.
As Google says, “84% [of] webmasters who do apply for reconsideration are successful in cleaning their sites.”
Hacked Sites: The Bottom Line
Hacked sites can not only be taken down by hackers, but they often need to be removed to be cleaned on their own as well.
This is a huge deal for your company.
Industry surveys suggest an average loss of $5,600 per minute when a hacked site goes down.
After 60 minutes, the average to a business is over $300k.
That figure doesn’t include the time and resources required to fix your site.
The bottom line is no one can fully protect your site from being attacked. But you can change what happens after your site is targeted and to keep your website up and running.
The number of hacked sites will continue to grow over the next few years. Your site may be one of them.
What does your company plan to do to protect your website? Let us know in the comments.