Table of Contents
Modern business runs off the web. Websites are employees who work 24/7/365 to market your company, make sales, provide services and so much more. Because of this prevalence and influence, websites often come under attack from cybercriminals hoping to compromise sensitive client data, steal money or information and disrupt key business services. Let’s look at three common website hacks and what you can do to prevent them.
Drive-By Attack
The Drive-By Attack is an incredibly malicious attack and one of the most difficult-to-detect common website hacks. In this attack, a cybercriminal compromises or gains access to a website with the intent of targeting visitors to the site. The hacker will then place hidden code on the site which activates when a new user visits it. The code starts a hidden download containing malware, ransomware, adware or another malicious program.
There are two types of protection against a drive-by attack. First, website owners need to be prepared for hackers and protect their sites. These protections are critical:
- Strong passwords and multi-factor authentication on website administrator accounts.
- Monitoring access to the site.
- Hosting the website and domain with a reputable vendor.
- Keeping the site and all plugins up to date.
These protections will help keep websites safe, but we can’t trust every site we visit to follow these precautions. The second type of protection we have as users of the internet, is that we should always protect ourselves by:
- Never going to suspicious or insecure websites. Secure websites will say ‘https:’ instead of ‘http:’ before the website address.
- Having a strong, behavioral antivirus on all your devices.
- Not using unsupported or end-of-life web browsers. Internet Explorer is an example of an end-of-life browser.
- Always keeping your web browsers fully up to date.
Beyond website attacks, email phishing is even more prevalent and affects a wider range – anyone with an email address could be targeted. Phishing is by far the most common cyberattack. Anyone with access to the internet can set up a fake email account and send out phishing messages by the thousands. Fortunately, there’s an effective technique to avoid becoming a phishing victim: the S.L.A.M. method! Learn all about it on our blog.
URL Poisoning
For website owners, URL poisoning is one of the worst types of common website hacks. This attack allows a cybercriminal to steal your traffic and visitors, discredit your website and perform drive-by attacks on unsuspecting users.
In this attack, a hacker gains access to the website’s domain name services (DNS) and redirects your website’s address to their own website. This allows the attacker to redirect all traffic from a legitimate site to their own platform for drive-by attacks, phishing attempts and other criminal tactics.
Protecting against this devastating attack is all about your domain. First, ensure your domain is hosted with a legitimate and reputable vendor. A new or unknown domain vendor will likely be more susceptible to attack than an established service or may be engaged in illegitimate activities themselves. Once the domain itself is secured, ensure your admin accounts for both the DNS platform and your website have strong passwords and multi-factor authentication enabled.
SQL Injection
The Structured Query Language (SQL) injection attack is used to target web services with database back-ends. Many web applications and cloud software as a service (SaaS) products use the SQL code language to run their hidden processes. If these applications aren’t configured correctly, a knowledgeable cybercriminal can make the server run commands through its user interface.
Here’s how this works: whenever you submit a piece of data or text string to a website, the back-end server has to ‘read’ that text. A very common example is a login page reading your username and password. If a SQL code command is inserted in one of these submission areas, the server is forced to read that command. Depending on the server’s configuration, it might not just read the command but execute it and begin following the cybercriminal’s directions.
Protecting against this attack is straightforward, but not simple. Your SQL servers must be configured to not execute any commands entered in through the user interface. Generally, this is done by ensuring SQL specific syntax, Boolean conditions, quotes and other critical characters or phrases are ignored by the server.
Worried About Your Website? Strategy Can Help.
Websites, online services, business networks, and other SaaS platforms aren’t going away anytime soon. Cybercriminals are constantly plotting to leverage their website hacks against new, vulnerable targets. If you are not 100% certain about your systems or network, let’s talk! A free IT and Web consultation is just the start of the cybersecurity advantage you’ll get from Strategy.
