Posted March 14, 2018
Think you’re too small to be hacked? Do you have “nothing to hide”? Well then, listen to this cautionary tale from our own experience.
One Thursday afternoon, whilst I was returning from the gym, Alex called me: “Have you had a look at the website? I think we’ve been hacked”. My mind raced: How did they get in? What was compromised? Is any sensitive data at risk? I knew hacks happen to companies much larger than us, but we’re supposed to be a security company!
Investigating the Problem
I immediately rushed to the office to investigate the issue. Somebody had defaced our website with the phrase “Hacked by CTZeN”, although nothing else seemed to have been changed. After some online research, we saw that many other WordPress websites had been similarly defaced. Looking up the domain registrations of the affected homepages, we found that they all shared the same domain name server.
Consequently, we notified our web-host to investigate the problem further, trying to find out if the problem was a compromised server on their end. Responding quickly, our webhost investigated the problem and restored our website from backup. Shortly after, we learned what had happened.
Somebody had scanned the internet for IP leaks based on known WordPress plugin vulnerabilities, thus targeting anyone that had not updated WordPress recently. Once an exploit was found, code was injected automatically in order to alter the vulnerable websites with the phrase “Hacked by CTZeN”. This attack did not allow the hacker to gain access to any sensitive internal files or emails. It’s comparable to somebody spraying graffiti on an office building – it’s annoying, but everything within the building is still safe. Subsequently, we ensured that everything was up to date and restored the website online. As a result of this scare, we are now updating our website daily and creating weekly backups.
Most likely, the attack was the act of a “Script Kiddie” – a newcomer to the field of hacking trying out what they learned in the wild. However, this doesn’t mean that we couldn’t have been targeted by more sophisticated actors. The fault was with us exclusively. Implementing a regular update policy is crucial for businesses of any size. Being a start-up in the chaotic launch period is not an excuse. Thankfully, the incident was resolved within an afternoon, but this was due to luck. We could have faced more severe consequences – events last year have shown that the same mistake has had devastating effects on other businesses.
Even when you are constantly thinking about security, you can make risky mistakes. To minimize this, we recommend you make security policies like updating as automatic as possible. Automating is best, in this instance, and many programs have an automatic update feature. In our example, we’ve installed the Companion Auto Update plugin to keep our website up to date. When automating is not possible, creating habits around security helps. For instance, you could make it a routine to check for updates as the first thing in the morning or last action at the end of the working day. Supporting such behaviours should be an official update policy for your company and somebody who’s accountable for it.
Moreover, we could benefit from being aware of all potential dangers. At the time, we had our local files locked down well and we were paying attention to our security. But that was our comfort zone. Since the site is relatively new, we had overlooked this portion of our security. To combat this mindset, make sure to consider all of your digital assets.
Furthermore, our experience reminded us once again that anyone can be a victim. Many attacks automatically search for vulnerabilities to exploit, therefore targeting people indiscriminately. Thus, it does not matter if the victim is a small start-up or a multinational conglomerate. As a result, we recommend you don’t fall for the trap of thinking you’re “not a target” or that “only the big fish get hacked”.
Lastly, just like with ransomware attacks, regular backups help minimize the impact of being hacked, since compromised files can just be easily replaced with recent copies. By keeping a backup (preferably encrypted) that’s not connected to your local network, you have a fallback option that criminals won’t be able to access. This ensures that business can continue with minimal interruption in the case of a compromise and can save a lot of money.
We hope that our own experience motivates you to implement update and backup policies rigorously, since you can be a target, too. Moreover, we believe that it is important to share this with you instead of trying to hide the fact that we have been attacked ourselves. Transparency is the best way to increase security awareness within society. When companies try to hide their mistakes, deny any wrongdoing, and refuse to take responsibility for their actions, they only frustrate their clients and diminish trust. Being honest about ones mistakes, taking responsibility, and showing that one learns from them is the best way to create long-lasting, trusting business relationships, because it acknowledges our humanity.