Understanding the goals that online criminals have can help us understand why sites are at risk. I’ve often come across site owners, especially of smaller sites and blogs, who disregard the risk because they think: “Why would anyone want to hack my site? It’s not important and there’s nothing to be gained.” In consequence they fail to update in a timely fashion.
That’s a mistaken way to think about online security. All sites are vulnerable because all sites have something that hackers want: bandwidth and an online presence. Your site may not be especially valuable or sensitive in its own right, but it can be put to work as part of a botnet or used to infect web users with malware.
In a recent well-publicized attack, the site of the celebrity chef Jamie Oliver was hacked. The goal and the technique of the attackers is instructive.
The iFrame included a redirect to a compromised WordPress site. It was a legitimate site that had been exploited and was being used as a gatekeeper and filter. Victims were redirected to the WordPress site, and, if they fulfilled a couple of criteria — they weren’t using a VPN and they hadn’t visited before — they would be redirected once again. The attackers don’t want to redirect VPN users because VPNs are a common tool of security researchers. Repeat visitors were probably regular users of the site; it is in the hackers best interest not to tip users off by infecting them because then the staging site would become useless.
The second redirect was to a malware-riddled site that attempted to infect unpatched systems through a variety of vulnerabilities. The aim was to install a malware dropper that would later be used to install a full malware payload and backdoor.
The middle-man site, and Jamie Oliver’s site, were more-than-likely infected as the result of an unpatched system or stolen credentials (although there’s no firm indication either way.) The important point is that the site being used to filter the attack victims had no value to the attacker except that it was a website with some bandwidth and they had access to it. There’s nothing to suggest that users of that site in particular were the target — it was simply a staging post.
And that’s why every site owner needs to keep on top of updates and security best practices. Online criminals will exploit any chink in the armor, and most of their attacks will be completely invisible to the owners of the site and to ordinary users.