+1 (213) 200-4379

The Best Target for Hackers

By Daryoush Ashtari

Hackers are programmers that know more than ordinary programmers and can take control of a website, server, mobile device, or computer without your permission. They have different purposes to do this. Some are looking for something valuable to sell them on the black market, some hack a chain of devices to lose track and hack a big company. Sometimes, they try to find some personal and private info and ask for ransom, spread a computer virus, distribute spam, host illegal adult content, and sometimes they have political reasons or check a chain of websites and servers to lose track and hack a big server. No matter what they do, the owner of the mobile device, computer, server, or website is the one that loses something. What they lose will depend on whether it was a personal computer, a personal mobile device, a corporate server, or a personal or corporate website. But, if what has been hacked is a server or website, no matter if it is personal or corporate, what has been taken from it, they lose one thing in common. People’s TRUST.

These are the most common reasons for hacking.

But who are their best targets?

Startups, small businesses, and home-based businesses are the best target for hackers. Why? They have:

  • many contacts, valid email addresses, (even probably more information such as full name, city, state, country, personal interests, purchase habits, …)
  • lots of information, real online buyers, medical and health history,
  • sometimes private information about their users,
  • they don’t know or don’t care about the value of the information and data they have, and
  • are ignorant of security issues.

Why?

They usually do not pay attention to security issues, warnings, alerts, and recommendations. And as far as their homepage has not been defaced1 or their website is up, they think they are fine. When you talk to them about security, they usually say:

  • It happens to others, not me, or
  • I don't have anything important, so I don't care, or
  • I take a backup and whatever happens, I just upload my backup again, or
  • Security is a fancy thing for big companies to waste their money on.
  • Some other reasons

These excuses make home-based and small businesses the best target for hackers. They are vulnerable, unprotected, and have lots of information. So, why does a hacker waste his time hacking websites that are behind strong firewalls?

The Reasons

Many reasons make small and home-based businesses to be the best target and these are just the most common reasons:

  • They usually use free and/or open-source CMS frameworks, like WordPress
  • They use cheap shared hosting,
  • They do not spend money on the security of their system and just rely on free security plugins that are open-source too and all their bugs and vulnerabilities can be found by hackers.
  • They have lots of clients and leads.
  • When they are hacked, they don't take any legal action and just re-upload their website. So, their codes are still there, and they can continue or resume what they were doing.
  • They rely only on their own backups.
  • They don't hire professional developers and cannot fix the vulnerabilities, so if for any reason their malicious code is removed from the website, by using the same vulnerability, they can re-insert their codes.
  • They are not aware of legal requirements for their websites, nor does the cheap developer they hire.
  • Sometimes, what they spend in one year for plugin updates and maintenance is more than the cost of hiring a professional to build a website for them from scratch by coding.

Home-based and small businesses usually do not pay a professional programmer to create a website for them. They use free CMSs such as WordPress or Joomla. These CMSs have security bugs themselves. Some of the themes and plugins have security issues as well and they are all open-source. So, it is very easy to access the codes and find the vulnerabilities and use them to hack the targeted website or a series of websites.

Most Small business and non-professional developers are not familiar with the standards. For example, in a medical website where patients can contact doctors and make direct and private consultations must store patients' information encrypted. Creating such a website with an open-source platform is a mistake because not only they are open source and their codes and vulnerabilities can be found easily, they store information unencrypted, while according to HIPAA standards, all private and critical information must be stored encrypted. If you accept credit card information on your website and store your client’s payment details, does your website comply with Security standards?

Small businesses do direct contact with their clients. So, their website holds lots of information about the people that are interested in buying something or have already paid for something, and their credit card information is already there. In any case, stealing such a list is valuable to them. They can sell the list on the black market and/or steal their money.

It is not easy to find people that might be interested in what a small business offers and collect their email addresses but is easy to lose them. Such kind of information is vital for any business and losing it may cause them to shut down their business or change it or start from the beginning.

All these make small businesses the best target for hackers because when they hack them, they have access to a large amount of data, and no one knows.

How can you find out if your site has been hacked or not?

Usually, people believe that if the home page has been defaced, the site has been hacked. But this is not true. And some people take a weekly backup and scan it with the Antivirus software that has been installed on their Windows PC (and again might be a free one) and thinks if the computer antivirus says it is clean, then it is clean and does not contain any malware.

Desktop anti-viruses are being created to protect your Windows computer and scan Windows-based scripts and binaries, not server-side scripts. So, if your site got hacked, re-uploading your recent backup cannot solve the problem. How do you know that your backup is safe and malware-free? Also, if this could solve the security problem, we would hear every year that hundreds of thousands of credit cards are stolen, a data breach has happened on a website, and millions of records of people’s information are stolen, …

Besides, all the security efforts are to prevent such things from happening. All security recommendations, programs, services, and tools are to prevent or minimize the threat. When your precious list of clients or prospects has been stolen, it is gone.

Hackers work behind the scenes. They can hack your website, steal information, and insert malware code into your pages without noticing. All websites are checked every three-four months and if malware is found, the site is marked. In such cases, when you try to visit the site, your browser shows an alert message saying that the site is distributing malware or virus, or it is an attacker’s website, and it is not safe to open it. Of course, this happens if the hacker tries to distribute malware, but if they want to steal your precious data, no alert will be given. In such a case, how can you find out if your website has been hacked or not?

How can you find out that your website is sending spam emails that are not yours, or …

How can you really make sure that your clients' lists and info are safe when no desktop antivirus cannot identify the real threat?

How do you know your website is safe or hacked?

Remember, hackers, do not contact you and say "Would you mind if I hack your website and take your clients list or do whatever I want?" They do whatever they want without your knowledge and consent.

 

RECOMMENDED RESOURCES

Join PurpleBiz