Why and how hackers break into websites

[Father]

Now it's hard to find a company that doesn't have its own website. Some people use this resource as an element of self – presentation, while others use it as the main channel for selling their products or services.

Along with the growing involvement of businesses in the Internet space, the number of crimes related to hacking sites is also growing. This is facilitated by a number of factors, of which three main ones can be distinguished:

1. Low level of protection for most Internet resources.
2. A variety of hacking methods, some of which do not require special knowledge and skills.
3. A sense of relative impunity for intruders.

In this article, we will find out which sites are of the greatest interest to attackers. We will also answer the most basic questions: who, how and for what purposes hacks websites.

Why do they hack websites?​

There can be many reasons: from data theft to the desire to make a joke, in such specific cases as hacking the website of a school or university. However, there are three most common causes:

1. Violation of business processes. Suspension of the company's activities during the temporary restriction of the web resource or its complete destruction. As a rule – this is an element of unfair competition. Some groups offer specialized site hacking services.
2. Theft. Confidential information about the company's activities, customer data, or other information.
3. Advertisement. The site contains links, banners, and other elements. Most often, they lead to phishing or just malicious sites.
4. Extortion. There are two possible scenarios: a ransom demand for non-disclosure of data stolen during hacking, or encryption of important information for the company using special software.

There are cases when a site is hacked with good intentions – in order to get information about the possibility of implementing a vulnerability and pass it on to the company's specialists. This is done by bug hunters, or, as they are called, "white hackers". Due to the fact that this process can be interpreted in two ways from the point of view of legality, bug hunters often use bug bounty platforms and do not search for vulnerable resources all over the Internet.

Ways to hack websites​

Alexander Osipov
Director of Development of Cloud and Infrastructure Solutions at MegaFon

One of the most common vectors of attacks on Web resources is the use of weak authentication – users or site administrators, as well as vulnerabilities in sites and web applications. So, over the past 6 months, the number of attacks on web resources, including phishing attacks, has increased many times, and the demand for solutions to protect against such threats has grown 5 times.

These risks can be reduced by raising awareness in the field of information security. MegaFon's Security Awareness training platform will help you understand, for example, how to correctly create passwords that are resistant to hacking and apply other important rules of cyber hygiene. This risk will also significantly reduce the use of multi-factor authentication products.

The easiest ways to get certain credentials or privileged rights within a resource are brute force and phishing.

The success of brute force is directly determined by the complexity of the set password. In the case of a strong password, it will take centuries, and in the case of Qwerty123 and other combinations that were popular last year, it will take only a few minutes.

A huge number of companies are exposed to phishing attacks, primarily through mailings. Spam filters and adequate distribution of privileged access partially solve this problem, but the effectiveness of this method can only be effectively leveled by introducing digital literacy courses and conducting them with a certain frequency.

Alexander Gerasimov
CISO Awillix

Speaking about vulnerabilities in web applications, it is worth noting the OWASP Top Ten methodology, which describes the most relevant threats to web services. Vulnerabilities are divided into 10 categories and sorted by popularity.Our security analysis projects ' statistics fully correlate with the OWASP Top Ten. Once every few years, the categories change, some go away, some become more or less relevant, for example:

1. Broken Access Control – this category has become the most serious threat to web applications. For example, access to APIs without authentication with the ability to send POST, PUT, or DELETE requests.

2. Cryptographic Failures – a new name for the category Sensitive Data Exposure, attention is paid to errors that lead to the disclosure of confidential data. The category goes to the 2nd place.

3. Insecure Design – a new category in 2021 that focuses on the risks associated with deficiencies in the design and implementation of web applications.

Most often, there are vulnerabilities related to the business logic of the application, for example, the possibility of cheating points in the loyalty system, etc.

If we talk about how sites with professional hacker groups are hacked, then many of them are profiled using specific tools, but they can easily use everything "brute-force", checking the protection for obvious flaws.

Professional attacks are most dangerous from the point of view that they are difficult to detect. Often, companies learn about hacking after the fact, after the group that conducted it declares it or puts the stolen data in the public domain.

Pavel Yashin
Head of the iiii Tech Information Security Service

It is important to remember that the main purpose of hacking is to make a profit, so you can not talk about one "most frequent" method. When protecting, you need to take into account different attack directions. So, the most common types of hacking sites:

1. SQL injection. To close vulnerabilities to SQL injections, you need to write scripts that check and process any text entered by the user, deleting the injection text.

2. XSS attack or cross-site scripting. There is a universal way to protect against SQL injections and XSS attacks — to process everything that is entered in input fields before writing the text from them to the database or executing it.

3. Brute force. If you want to protect yourself from brute force attacks, create complex passwords using special generators.

4. DDoS. A DDoS attack costs money, and the more powerful the server being attacked, the more expensive it is. Expensive and massive attacks are often not carried out on medium and small businesses, so protection programs like Cloudflare and DDoS-guard are suitable for medium and small businesses. Often, the duration of a DDoS attack depends on the "free test" period, which can be allocated for testing to interested attackers, usually this time does not exceed 10-15 minutes.

5. Cross-site request forgery.On the part of the site owner: you need to generate secret keys for each session, without which the request cannot be executed. From the user's side: log out after visiting sites, even on home PCs.

Of course, you need to keep in mind that cybersecurity is not a one-time exercise of evaluating, buying and configuring a security tool, but a constant, cyclical process.

At a time when the number of cyber attacks is continuously growing from year to year, security tools are becoming relevant for an increasing number of companies. Even if the goal of "protecting yourself" is not a priority right now, it makes sense to conduct a security audit and get a comprehensive idea of the current level of security of the company's digital resources.

How to protect yourself from hacking​

Despite the departure of foreign vendors, there are enough different classes of solutions on the Russian market to protect any infrastructure. At the same time, the best way to ensure a high level is to conduct secure development.

Oleg Boitsev
Head of the Cybersecurity platform TheWall

Anti-hacking is a separate big topic for a whole book, but in short, developers should adhere to the secure Code Development process (SSDLC/Secure Software Development Lifecycle), regularly conduct system security analysis and penetration tests (pentest).

In our experience, the best security practice is to place a web resource behind a WAF. This is a firewall that is used to protect web applications from exploiting web vulnerabilities. WAF detects threats and protects the web application.

Preventive saturation of the network infrastructure with security tools is especially important in the context of the growing number of cyber attacks. If before this year it grew gradually, as a reaction to the increase in the presence of companies in the Internet space, then in 2022 it grew many times.

Not only did the number of attacks increase, but the duration of attacks also increased. Hacktivism is widespread, when resources from a particular segment of the economy are attacked for political reasons, even if the companies are not affiliated with the state.

Vladimir Astashov
Head of the SOC Group of the Digital Economy League's Information Security Practice

To make a decision on whether to start integrating cybersecurity tools, you need to start with a comprehensive information security and IT audit. In this case, a comprehensive audit means checking that the measures taken to ensure information security meet the target level of security, as well as checking specific infrastructure settings for compliance with information security policies.

Among the markers, first of all, compliance with the requirements of the regulatory framework can be distinguished. You need to check that your organization has all the necessary documents and regulations.

The next marker will be checking service passports, network maps, and information about the inventory of protected assets. The absence of this documented information indicates at least the need to collect information about the protected assets.

Security audit allows you to create a model of current cyber threats for the company based on the current state of the organization's network infrastructure. In fact, this is a transition from situational, reactive protection to systematic work in the field of information security.

Protecting your site and other company infrastructure is not only a reputational necessity, but also a way to protect your organization from the many opportunity costs associated with data leaks and business process interruptions during an attack. This is especially true given the latest regulatory requirements: in the near future, Russian companies may be subject to turnover penalties for personal data leaks.