Why Hackers Want YOUR WordPress Website

We hear it all the time,

“What do hackers want with my little WordPress website?”

Or,

“How did they manage to find my WordPress website?”

We’ll address both of those issues here.

First, “What do hackers want with my WordPress website?”

The quick answer is: MONEY!!!

To which, you’ll probably respond with, “I don’t have an e-commerce website, so…”

Not to give cybercriminals any credit, but they know human behavior. They know it well. Their livelihood depends on it. They know that roughly 25% of all websites are WordPress. That’s a huge market. It’s maybe why you develop WordPress websites.

They also know that many WordPress sites are self-created. In other words, someone with some degree of technical competence attended a class on WordPress and after finishing determined they could create their own WordPress website.

That’s great for WordPress, but not so good for the website owner because now you have someone with just enough knowledge to create a WordPress website, but no where near what they should have. They don’t know about securing a website, other than to install some plugins and consider that task done.

Their opponent, the cybercriminal, knows almost everything about them.

They have to know their market. Their income depends on it. They know there are basically 3 different type of WordPress website owners. They know the strengths and weaknesses of each.

The cyber criminal will perform very specific attacks to try and “fly under the radar”. Their primary target, or as some refer to them as, “low hanging fruit” is typically #1 below.

Keep in mind they are usually residing in a country with no extradition to the US or they are hiding behind multiple levels of servers in various parts of the world. In order to track them down, you would to obtain and then analyze the log files from many different servers in many areas of the world. Getting that kind of cooperation is generally not possible.

We believe there’s really 3 different groups of WordPress website owners:

  1. The self-creator. This person is one we just described. They’re not really a Web Developer, but through any various means, learned how to create a WordPress website. This may have been through online courses, a school, friends, trial and error, etc. They like the idea of being self-sufficient. As they’ll usually tell you, “I know enough to be dangerous!” Their chances of being infected is extremely high. This group of people believe that hackers don’t want their site, or that hackers can’t find their site. That type of thinking is considered “security by obscurity”. Your website is safe as long as you believe the hackers don’t want it. This makes their website – low hanging fruit.
  2.  

  3. The minimalist. This type of website owner pays to have someone else create it for them, but at the lowest cost. They might find someone on one of the contractor websites and select the lowest bid. This leaves any kind of maintenance out. If they’re lucky the developer told them to keep WordPress updated and all plugins too. Will they listen? Maybe. These people will typically “try to remember to update once a month.” The person who developed the website may have installed 2 or 3 free security plugins. This person has a better than 50% chance of getting their website infected.
  4.  

  5. The professional. This person carefully selects a web developer, discusses the purpose of the website and then watches as it evolves through to completion. This person knows they don’t know enough about the intricacies of WordPress, it’s plugins and themes – nor do they want to spend their time learning. It’s not what they want to do with their time. They’re the type that will pay a monthly maintenance fee to keep everything updated, monitored and fresh. Their chances of getting infected are going to be extremely slim. They look at paying a monthly maintenance fee as insurance. It’s not guaranteed to prevent an infected website, but if it is infected, someone is already responsible for getting it remediated.

It’s obvious from the above that if you can afford it, the 3rd option is the best.

Why do hackers want your WordPress website?

Money.

How do they make money from infecting your website?

Their methods are many.

Lately one of the more popular ways is to add infectious code to your site so that visitors will have their local device (Mac, PC, tablet, phone, etc.) infected with a Remote Access Trojan (RAT). Once the RAT is in-place, they can encrypt all of your files and demand a ransom. This is commonly known as ransomware.

Or, they will install keyboard loggers on the visitors local computer. Knowing there are soooo many WordPress websites, the keyboard logger will record the login URL, the username and password and send it to the hacker’s servers where their automated process proceeds with the website infection.

These same keyboard loggers will also steal banking login credentials. Often time that information is sold to other cyber criminals like in the is hacker forum:

That pays quite well and their exposure to being caught is extremely thin. Low risk, high payoff.

They can send spam from your website. This doesn’t pay well, but if the spam is phishing emails, looking to trick someone into entering their login credentials on a bogus website, it can pay off quite nicely. Enough people fall for this scam – so it pays well. They can resell the stolen login credentials on the hackers forums as well. 

The cyber criminals will upload PHP, Perl or Python files that will take a POST string. That POST will tell the program where to go to get the list of email addresses, subject and message and then use the local resources of the website account to send the spam emails.

Again, decent returns on investment and very low risk of being caught.

Another method of the hackers is to upload their spammy fake shopping files. Typically this has been a folder like boptir or some other nonsensical name. There are various PHP files and no extension files that are fake shopping files. Sometimes these are first noticed in your Search Engine Results, other times, your hosting provider will be notified and they’ll deactivate your hosting account until you get them cleaned up.

Driving traffic is another source of income for cyber criminals.

This is typically known as Pharma Infections because they’re usually driving traffic to fake pharmacy websites. This method is also used to send mobile device visitors to adult oriented websites.

Often times we see these types of infections embedded in the database of a WordPress website. Our root cause analysis finds many of these are the result of either an easy to guess administrator level password on a WordPress website or the hackers have stolen the password with a password stealing trojan on the administrator’s local computer.

These are a few of the more common methods cyber criminals use to make money. Every website they can infect adds to their bottom line.

Being that they’ve developed many, many automated processes, this all requires very little of their time. When there is very little risk of being caught, and a good opportunity to make money, you’ll have criminals.

How did the hackers find my WordPress website?

This could probably be sectioned off into it’s own blog post, but here goes.

As stated above, hackers know human behavior, but they also know technology. They have automated so many of their procedures that their workload is probably minimal.

How do we know?

When you see certain activity in the log files and time between each log entry in their attack, is incredibly short, you know it’s an automated attack.

We also see in some of the forums and groups the hackers “lurk” in, we see them advertising tools to automate various attacks.

Our processes also look for patterns of attack. Some of these patterns include demographics. For instance, in January 2016, we saw a pattern of infected websites for attorneys in Florida.

Coincidence?

I don’t think so. We’ve seen other similar patterns. In August 2016, we saw an influx of infected websites for lawn care companies in Ohio, in September of 2016 Magento based websites selling jewelry.

Could it be easily explained as just happenstance?

Maybe, but month after month we see patterns. Our belief is that hackers have so many websites to attack that they’re actually narrowing their attack vector by selecting certain demographics before they launch their attacks.

If you’ve spent any time optimizing your website for Search Engine Rankings, it might also make your site rank higher in the eyes of the cyber criminals as well.

Risk versus Reward. It’s prevalent in the cyber criminal business. Don’t get caught unaware. Please share this with your social media outlets. Everyone must be informed.

Often times, if somene gets the information from you, they’ll trust it more. Pass this on to help all of us fight the good fight and keep hackers out of our websites.

Thank you.

Sharing is caring!

Thomas J. Raef

traef@wewatchyourwebsite.com