About the research
Many businesses actively and productively use corporate sites, online stores, and web services to accomplish tasks. Customers register on these websites by leaving their personal data, make purchases by entering credit card information, and use cloud services to store information or use the resources provided to send their sensitive information. It is obvious that not only competitors, but also cybercriminals, would like to have access to such precious data, so it is no surprise when clients' personal data is leaked from yet another big company into the hands of criminals. Often, these events are associated with a successful attack on a company's web applications, as a result of which attackers gain access to the user database or steal other information. For example, in September 2020, hackers broke into more than 2,800 Magento-based online stores where they injected a malicious script that to scrape customers' personal information and payment card data.
As a result of hacking, both users and companies themselves may be affected. The web application security analysis conducted by Positive Technologies shows that criminals can conduct attacks on clients in 92% of web applications; in 68% of cases, there is a danger of a data leak; and in 16% of cases, attackers can gain control over the application and the server OS.
In this article, we will talk about why criminals hack websites, and what consequences there may be for the owners and users of hacked resources.
We have selected the ten most active forums on the dark web, which offer services for hacking websites, buying and selling databases, and accessing web resources. In total, more than 8 million users are registered on these forums, more than 7 million topics have been created, and more than 80 million messages have been published.
Note that this article does not consider ads that are posted in messages on such forums and related to services for organizing DDoS attacks on web resources, since in this case, the motives, goals, and tools of the attackers and those who hire them differ radically and go beyond the scope of this research.
Why criminals hack websites
In 90% of cases, users of darknet hacking forums search for a hacker who can provide them with access to a particular resource or who can download a user database. Seven percent of the messages include offers to hack websites. The rest of the messages are aimed at promoting hacking tools and programs and finding like-minded people to share hacking experience.
By offers, we mean ads published by service owners and hacker groups. They cannot act as indicators of supply and demand, as they are often posted only once. The demand for the services mentioned above can be estimated approximately only by individual inquiries from users who, for various reasons, did not make use of the information about the offers.
Since March 2020, we have noticed a surge of interest in website hacking. This might have been caused by an increase in the number of companies available via the Internet, which was triggered by the COVID-19 pandemic. Organizations that previously worked offline were forced to go online in order to maintain their customers and profits, and cybercriminals, naturally, took advantage of this situation.
The following graph shows the number of new ads on dark web forums. Ads are posted not only by new members, but also by hackers with an established reputation. The latter do this as a form of self-promotion. It is difficult to determine which ads are duplicates and which have lost relevance, so we do not give the number of hackers or groups that actively provided hacking services at the beginning of 2019 or who are doing it today.
In about seven out of ten inquiries related to website hacking, the main goal is to gain access to a web resource. Not only can attackers steal sensitive information, but also sell access to web applications to so-called fences.
Inquiries aimed at obtaining user or client databases from a targeted resource account for 21% of all ads. Competitors and spammers who collect lists of addresses for targeted phishing attacks aimed at a specific audience are primarily interested in acquiring this type of information.
In 4% of inquiries, the main goal of attackers is not to hack the website, but to inject malicious programs into it, for example, for conducting watering hole attacks or placing web skimmers. In August 2020, during one of its campaigns aimed at scientists from the universities of Haifa and Tel Aviv, the APT group Charming Kitten hacked the Deutsche Welle website in order to place a malicious link on it. After clicking this link, the victim was asked to pass authorization , and the credentials they entered were sent to the attackers.
Three percent of ads are aimed at finding a person who can hack a website and delete certain data specified by the customer. This service may be in demand among those who want to remove negative reviews about a company posted on resources that are not controlled by that company, as one example.
Offers for the sale of ready-made programs and hacking scripts were found in 2% of total analyzed inquiries.
Some hack, and some buy
We already explained that fences buying access to websites have appeared on the dark web. Now that this phenomenon has taken root, it turns out instances of it can be broken into categories. In some cases, users buy web shells, some buy access to the administration interfaces of websites, and others buy ready-made exploits for injecting SQL code into specific resources.
A web shell is a file uploaded to a server that an attacker can use to execute OS commands on that server through the web interface and gain access to other files.
Web shells are inexpensive relative to, say, databases, which we will talk about later: their prices range from a few cents to 1,000 USD. This is mainly due to the fact that the privileges obtained by uploading the web shell to the file system are limited. Selling a web shell means sending the customer a link to the file path and, possibly, credentials for authorization. The most common web shells are on websites in the .com domain zone—they account for 54.3% of the offers for sale.
If the web service is hosted on a server connected to the company's internal network, the main risk for the organization is that an attacker (or someone who buys access to the server through a web shell) can develop an attack and penetrate the company's infrastructure. The results of external pentests conducted by Positive Technologies experts in 2019 show that at 86% of companies there is at least one vector for penetration into the local network, which is associated with insufficient protection of web applications. At one out of every six tested companies, we found traces of prior attacks. For instance, we found web shells on the network perimeter, malicious links on official sites, or valid credentials in public data dumps.
Attackers use access to the administration web interfaces of popular CMSs in order to place web shells and malware on them and use them for illegal advertising. For example, in August and September 2020, a series of attacks were observed targeting the websites of WHO, UNESCO, government agencies, the National Institute of Health, and major educational institutions. On these resources, hackers posted phishing ads for tools used to hack accounts in well-known social networks and for cheating in online games. They had two goals: stealing payment card data and spreading malware. Some users were redirected to a payment page where they were asked to enter their card information, while others immediately downloaded malware to their devices.
It is worth noting that a website's involvement in illegal advertising campaigns may negatively affect its position in the search results of popular search engines.
Dumps, or databases from hacked websites, can be bought by competitors or criminals who plan targeted phishing attacks.
Custom databases cost between $100 and $20,000. or between $5 and $50 per 1,000 entries.
User entries may, for example, contain the following information: username, email address, full name, phone number, address of residence, social security number, and date of birth. This information can be used to conduct social engineering attacks.
Is it difficult to hack a website?
Our web application security analysis revealed that, on average, each web application has 4 high-severity and 12 medium-severity vulnerabilities. Even if we do not take into account the large number of vulnerabilities, criminals can use social engineering techniques to conduct attacks, such as targeted phishing campaigns, on a resource administrator in order to obtain their credentials (username and password). These data allow attackers to access the company's website.
Based on our research data, we can conclude that most web resources are not sufficiently protected from intruders. The number of ads on the dark web offering services for hacking web resources should also be taken into account. If required, criminals can easily hire an experienced hacker or buy a ready-made hacking tool from a fence or another source.
Web application hacking services are in high demand. Ads for custom website hacking are not characteristic of any single specific industry; however, most customers purchasing such services are interested in online stores. This is primarily due to the fact that users of these resources enter their personal data and credit card information there. We believe that there is a definite trend towards a further increase in demand, as more and more companies go online as a result of the COVID-19 pandemic.
Hacking a company's web applications can lead to global consequences: from data leaks and sanctions for violation of legislation (for example, GDPR) to penetrating the company's local network and using its resources in subsequent attacks—as a platform for spreading malware or for storing tools that will be downloaded during the attack. When building a security system, we recommend following the principles of a risk-oriented approach, based on an understanding of the magnitude of negative consequences that are acceptable for your company. It will be easier and cheaper to proactively protect the most vulnerable part of your company's network than to pay huge fines and have your company's reputation smeared.
To protect your company, you should adhere to the principles of secure development and use automated source code analysis tools to search for errors and vulnerabilities, since the 2019 web application security analysis revealed that 82% of all vulnerabilities are found in web application code. It is essential to regularly analyze your web application security and to use a web application firewall for proactive protection against attacks.