It’s very easy to think that attackers wouldn’t be interested in your website - after all, even the biggest veterinary practice looks like small fry next to BA, or the NHS, or one of the big department stores. And that’s true, from a certain point of view - you have far fewer visitors. However, that also makes you an excellent target for people distributing malware, or trying to set up a botnet, or indeed any other “black hat” (aka “cybercriminal”) out there. In this blog, I want to talk about a worrying trend we’ve seen recently in terms of hacking attempts on what seem like really low profile websites.
Is there really a problem?
Yes, there is. We can measure the number of defeated or blocked attempts to hack websites - and in this Autumn (between 6th and 8th October, to be precise) there has been a 63% jump in hacking attempts across the network that we use for monitoring these attacks. This increased activity has been sustained for the last 2 weeks and shows no sign of dropping off - indeed, there was another 8% spike on top of that in the middle of last week. We don’t know why this is, but it seems to be a very generalised phenomenon, affecting a wide range of different sites and businesses.
To put this into context, one new practice website that we launched earlier this month has already had 10 serious attempts to break through the firewall; while a small charity whose website I run has in the last month had 76 attacks (we usually see a spike in attacks a few weeks after a new site goes live, as people realise it’s there, it then tails off but picks up gradually the longer it’s been live). This is not a rare occurrence, and it’s something that’s happening all the time! In fact, there’s a fairly good chance that this website is being attacked as you’re reading this blog.
How do they attack?
Well, the good news is that the majority (about 95%) of attacks are so-called “brute force” attacks, where the attacking computer essentially tries to force its way through the firewall by trying every username/password combination. These are usually fairly easy to secure against (see below).
However, the remaining attacks are what’s called “complex” attacks, where multiple methods of probing the defences are tried simultaneously. These are harder to defend against, and harder to detect if they fail.
Who’s doing it?
That’s a difficult question to answer. While we can certainly tell where the attacks have come from (the practice website is getting hit mainly from Russian IP addresses, whereas the charity one’s security logs suggest mainly US-based attacks). However, that does not necessarily mean that the attackers are based in these countries, as the majority of modern hacking attacks are done using “botnets” - computers all over the world which have been compromised by computer viruses, trojans or other malware, and used to launch attacks by a third party, who could be based anywhere in the world. The USA usually comes up pretty high on lists of attackers because there are so many computers per head in that country with good internet access!
What is the advantage of attacking a small business or charity?
If the attackers can install malware on the site, then the computer of everyone who visits will potentially be infected. However, that’s something of a “fringe” benefit for many cybercriminals, who love to infect a website (however small) because they can then use it as a “command and control” server for a botnet. Websites are, by their nature, hosted on computers that are optimised to send and receive vast amounts of information very fast (called servers), so a compromised website = a compromised server that the attacker can then use for their own purposes - perhaps to control a botnet, or even launch attacks directly.
However, the main reason small businesses and (especially) charities are specifically targeted is that the smaller you are, it’s likely the less security you have on your website. The less security, the easier it is to hack in and take control.
How can we prevent attacks?
Fundamentally you can’t - the attacks will keep coming. However, you can usually prevent successful attacks. Brute force attacks can usually be prevented by avoiding using common usernames (e.g. “admin”) and using sufficiently complicated passwords (there’s great advice from the National Cyber Security Centre here). Even then, though, without any other protection, a powerful enough brute force attack could “get lucky” and crack the system.
A better solution - and one that offers protection against complex and other sophisticated attacks as well - is to use dedicated security software. In the same way that you (hopefully…) use antivirus software on your computers, you should also have a good firewall and antimalware software on your website.
We use a hosted service that provides industry-grade protection to all our websites; however, there is a free service called Wordfence that can provide reasonably effective security for any website built in WordPress (there are other systems for other platforms, but we only use WordPress). Please feel free to get in touch if you need to discuss this further!
If you do nothing else today, check the security on your website. I promise you, other people are doing so already, whether you know it or not!