Report finds many people leaving big security holes that attackers are using for dirty deeds.

It can be easy to set up a website these days. Some companies promise DIY sites with a quick install, within minutes. No wonder there are one billion sites currently out there on the Internet, from your next door neighbor’s pug blog to the biggest brands in the world. 

But if your website is suddenly running more smoothly than ever, you may have help—attackers, who are secretly managing your site for you so they can abuse your assets and make money off of your domain.

“It reminds of me when you have a little brother,” said Tony Perez, CEO of security company Sucuri in a recent web presentation.

The attackers will protect your site from other attackers, he explained, so they can be the only ones to profit off of your back. 

“Someone tries to beat up your little brother. You’re, like, ‘No, this is my little brother,’” he said.

Problem is, you may not know you have a big site brother both protecting you and thumping on you—until you get a nasty note from your visitors or from Google itself, according to Sucuri.

Lessons from infected sites

The company cleans up infected sites—thousands of them each month, according to founder Daniel Cid. From their suffering, you can learn what goes wrong and how to avoid it.

Sucuri looked at infections in more than 11,000 sites that use the popular content management systems WordPress, Drupal, Joomla! and Magento in its Website Hacked Report 2016 – Q1.

More than half of the infected WordPress sites had out-of-date software, meaning that the web masters had not updated all of the pieces and parts that make the web site run. Unpatched software can have major vulnerabilities that let the bad guys walk in and take over.

The numbers were worse for the other content management systems, the company’s report said—81% of the Drupal sites infected were out-of-date, as well as 84% of the Joomla! sites, and 96% of the Magento sites.

“That’s a lot of outdated sites,” said Cid.

It’s not the fault of WordPress or the other content managements systems, he said, but instead, the people using those platforms.

“People are using their websites and their managing their websites in an insecure way,” he said, despite the relative ease of updating the components of a website. 

“Just click, update. Most of them simple. And we’re still not doing that,” said Cid. “We are really bad at website management.”

Everyone is a webmaster

As more people set up sites, more people take on the role of webmaster. That may be a bigger job than some think.

“There is a sharp drop off in the knowledge required to have a website, which is breeding the wrong mindset with website owners and service providers alike,” Sucuri’s report said. “This leads to a rude awakening for website owners as established entities, like Google, take a hard stance against malicious websites.”

It’s not just small sites. Security company RiskIQ checked on 30 large companies in Britain and found that at least 3 out of 10 had WordPress or Drupal sites with security issues.

“The fact is that even large organizations are faced with the same challenges as everyday website owners (i.e., bloggers and small businesses) of staying current as new updates are released to address all issues, including security patches,” the Sucuri report said.

The computer systems of Mossack Fonseca—the law firm behind the “Panama Papers” hack—were “riddled with security flaws,” according to WIRED, including a very out-of-date version of Drupal.

“The idea of patch and vulnerability management are not new concepts in the world of security or technology,” the Sucuri report explained. “But in the world of everyday business operations, the non-technical staff, it is.”

Your big brother

What is your big brother doing on your site? Once he sees you have a security hole, he builds a backdoor, a way to get in and out of your site without you finding out, Cid and Perez said.

He may patch your site, doing the updates that you are not doing, so he can keep you to himself.

“They manage the sites that they ‘own’ really well,” said Cid. “They do everything.”

“The attackers are actually implementing good asset management,” said Perez.

Then the attack really begins. Five to ten years ago, it might have been a defacement on your home page.

“’Your security sucks,’” Cid gave as an example defacement. “Now, we rarely see that anymore.”

“Now, it’s all about money,” he said.

How they’re making money on your site

Defacements are in-your-face, sending a taunting message to the webmaster. Now, many attackers are trying to hide as long as they can, according to Cid.

“Their goal is to maximize the time on your site,” he said.

They may inject malware, use your site for phishing or carry out an ‘SEO [search engine optimization] spam’ scheme, all potentially hard to uncover, Sucuri said.

For example, someone visiting your site might come away with malware. Or they might be re-directed to an adult site, a casino site, or another site that can infect their computers with something nasty.

Secret spam

More than 30% of the 11,000 sites were being used for SEO spam campaigns, reported Sucuri, often for drugs like Viagra and Cialis, or for gambling and porn.

“SEO Spam is designed to use your search terms and traffic against you by infecting your sitelinks with references and links to things not on your site,” wrote Sucuri’s Fernando Neto in a 2014 blog post. “It provides an attacker the opportunity to cheat the system by quickly benefiting from your raw traffic, your audience.”

Attackers might hide links to their site in your site, so that their site moves up in search engine rankings. They may add the secret links to the site footer, index or header files, Cid explained in SC Magazine.

Neto described the possible negative effects of SEO spam.

“These dirty search terms can lead people to think your website is hacked (‘Why is a food blog leading me to a Cialis ad?’) and bring about a loss of trust in your brand, which has a direct correlation in reduced traffic, lessening search volume,” he said.

In addition, he said there can be economic impacts, like reduced sales and traffic, and your website can get blacklisted by search engines like Google.

Be your own big brother

One solution may be to become your own “big brother,” capable of managing your own site better than the bad guys.

“Nobody talks about website administration because it’s not sexy,” said Perez. That may need to change.

Cid and Perez suggest you start by making a list of your sites.

“I’ve talked to large organizations. We say, ‘We’d like to help you. How many web sites do you have?’ ‘I have no idea.’ These are websites with good governance in place,” said Perez. “You can’t secure what you don’t know you have.”

The next step—your site components.

“You list all the necessary plug-ins and models that you need to be running on each one,” said Cid.

“How many organizations come to us—‘I was compromised,’” Perez explained. “‘This is the vector,’” Sucuri responds, according to Perez. “‘Oh, I didn’t even know I had it,’” the organization says.

Then, plan for monthly updates, like your own “Patch Tuesday”—the unofficial name for the day when Microsoft sends out security updates for its software—said Cid.

“Repeat every month,” he added. “Simple stuff, simple stuff.”

“Security is a continuous process,” said Perez. “It’s not a static state.”