Benjamin Hosack
5 min read

According to a recent study conducted by Google in collaboration with UC Berkeley, 760,935 websites were compromised between July 2014 and June 2015.  A considerable number of hacked websites, downtime and onward infections of the websites’ visitors. 

Sure, Google alerts webmasters that their websites have been hacked so that they can get working on fixing the issue.  The problem is that they have already been hacked, malware uploaded, customer bases stolen, payment card data stolen and they now have to throw a lot of time and effort into fixing the problem.

 Compromised_Website_Statistics.png

According to the study, Wordpress websites make up nearly half of the compromised websites – not a surprise given that Wordpress powers roughly 25% of websites globally.  The issue comes down to those building and managing the websites – they don’t understand how to protect their websites and so fall prey to attackers – often very easily. 

The Hacked Web Design Agency

A recent forensic client of ours was introduced to us to get help sorting out one of the websites they managed – they were a web design agency in New York.  This agency had been informed by one of their clients that their bank had told them that their website had been hacked and that they needed an investigation.  An embarrassing situation for the web design agency who was supposed to be managing the website – they did not even know that something untoward had been occurring on this website, so with this notification from their client, they quickly contacted our team for assistance. 

Within hours we had deployed our FGX-Web web security solution, detected the offending malware and provided instructions to the web design agency on how to clean up the website – and what to do to “harden their security” across their client base.  A considerable amount of work was invested by the web design agency in cleaning up and securing this website – all unpaid-for as they were supposed to be delivering a secure website in the first place.

The initial result for the web design agency was a very unhappy client – a very high profile fashion retailer who was undoubtedly paying a lot of money to the web design agency to maintain their website.  With the effort put in to rescue the situation, the web design agency managed to retain their client. 

During the clean up process, the web design agency requested assistance from Foregenix to look at a few other clients of theirs – confirming a second data compromise on another eCommerce website (don't most agencies publish a portfolio of clients?  An easy way for an attacker to identify who else to target...).  Fortunately, this enabled the web design agency to be proactive with the second hacked client, which in turn helps to reduce the financial penalties associated with stolen payment card data.

FGX-Web is now monitoring all of this web design agency’s clients – including non-transactional websites.  Proactive, managed security monitoring enables them to focus on their strengths with the back up of a specialist team.

The statistics from Google indicate that many organisations/people are building websites with little to no security – which is resulting in record-breaking numbers of hacked websites each quarter (have a read of the Global Fraud Attack Index – the numbers are consistently and rapidly climbing).

According to the Global Fraud Attack Index, the beginning of the rollout of EMV in the US has already had a significant effect on the levels of attack against online businesses – it is clear that fraud is already accelerating with its migration online in the US. 

How do we combat this growing issue?

Education.  Within the payment card industry, education begins with the acquiring banks and processors – the organizations that support and process transactions for the masses of eCommerce businesses globally. 

As we have improved security in the card present environment with EMV/Chip and PIN – and seen the fraud levels drop –so we need to improve the security of the online world.

If you consider that the payment technology for card-present transactions has to meet many specific certifications for security, we have very little in the eCommerce world that comes close to ensuring that the supply chain supporting the many thousands of online businesses are doing so in a secure manner.

Sure we have PCI DSS – but if a website outsources their payments via a redirect/hosted payment page, everyone supporting that website (web designer, hosting provider, payment service provider) assumes the payments are secure and that's it for security.

Think again.  If the only thing on the website that is secure is the hosted payment page – which is built and maintained by the secure payment service provider – it is a matter of time for the website to get hacked and for attackers to modify the payment process – sounds far fetched doesn’t it (see our blog article on iFrame Interception).  And surely the web design agency or website owner would pick up the modifications…?  No, unfortunately they don’t.

According to the Google study, the vast majority of websites are being notified by Google that their websites have been hacked.  This is after the fact – usually well after the the damage has been done and the website is blacklisted.

Education is key.  Understanding and educating the eCommerce ecosystem should be a priority for acquiring banks and processors looking to reduce their risk of card scheme penalties.

Technology.  There are technologies available that “bake” security into websites – very effectively and cost-efficiently.  Understanding that these technologies are needed on a website is the challenge – however, nobody would consider opening a shop on a busy road to sell their goods and not put in place basic security.  The internet is just the same – although probably more dangerous in that attacks take place a lot more frequently - and anonymously. 

Statistics from websites protected by FGX-Web show an average time between attacks being less than 5 minutes.  Every 5 minutes a website is being probed/attacked.  Think about that – especially if you own or manage websites.  Or if you process transactions for websites.

The numbers of websites being hacked each quarter are rising – eCommerce is an easy target:

  • Attackers have the anonymity afforded to users of the internet.
  • Most websites are not protected.
  • Most website design agencies are not specialist web security gurus.
  • Attackers are “generally” specialists. It’s an unfair contest with the advantage being given to the attackers.

How Can We Fix The Situation? 

The situation can be fixed through:

  • Education.
  • Technology. 

Click on the links below to see how we can help:

Alternatively, if you're looking for some more information on website security, please download our ebook - 7 Tips to Secure Your Website.

eBook - 7 Expert Tips to Secure Your Website

Subscribe to our Blog

Contact Us

Access cybersecurity advisory services

 

Benjamin Hosack
Benjamin Hosack

Benj Hosack is a Director and co-Founder of Foregenix Limited. Foregenix is a specialist information security business delivering services in Forensics, PCI DSS, PCI P2PE, PA-DSS and information security solutions within the Payment Card Industry. Our technologies are designed to simplify security and PCI Compliance. Specialties: Cardholder Data Discovery - defining and reducing PCI DSS Scope / PA-DSS / PCI DSS / P2PE / Account Data Compromise Investigations. We are specialists in the Payment Card Industry and work with all types of companies in the payment chain (Acquiring banks, Processors, hosting providers, web designers, merchants, systems integrators etc).

See All Articles
SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.