Why Do Bad Actors Compromise Sites

Let’s kick off with a fundamental question. Why do bad actors hack sites? Now, I know what you might be thinking. Why would anybody want to hack my little WordPress website? It’s just a blog about my cat, Mittens, and his existential musings. And while Mittens musings are undoubtedly both profound, the truth is the reasons behind the website’s compromises often has very little to do with the content itself, no matter how cute.

So, let’s break down the common reasons why a bad actor might set their sights on your client’s website. Think of it like this. If your website was a house, what kind of treasures or opportunities might a burglar be looking for? First up, and probably the most straightforward, monetary gain. This is the big one. Most bad actors aren’t in it for the glory. They’re in it for the cash.

How do they make the money from your site? Well, there’s a few ways, but let’s start with malware distribution. They can inject malicious code onto your site and infect visitors. This malware can then steal personal data, plant ransomware, or turn a visitor’s computer into an part of an everinccreasing botnet. There are other options.

They could be running a fishing campaign. Uh so your legitimate domain provides a fantastic cover for fishing attempts. They can create fake login pages that look exactly like PayPal, banks, or even other WordPress websites, tricking users into handing over their credentials.

Then we have SEO spam. This is where your site is used to host spammy links that redirect users to other sites or inflate search engine rankings. The thing is while your site is being hacked, the end user who is buying the links often have no idea what they are actually paying for and those back links or traffic well that’s coming from a hacked site and is ultimately useless. Ransomware.

They lock you out of your sight and demanding a cryptocurrency payment to restore access. It’s like finding a sticky note on front of your door that says, “Nice house. Shame if something happened to it, send Bitcoin.” And then finding the locks on the door have been changed. Credit card skimming for e-commerce sites. This is a nasty one. They inject code that intercepts credit card details as customers enter them, stealing your customer’s card and ultimately the money. Then we have resource exploitation. Your server has power and access and bad actors want both. Cryptocurrency mining, sometimes called cryptojacking.

They hijack your server’s processing power to mine cryptocurrencies. Your site starts running slow, your hosting bill goes up, and you’re inadvertently helping someone get rich off crypto. It’s like secretly plugging their mining rig into your power outlet. Worse, with crypto mining in JavaScript, your visitors are providing that and so your site is even slower and your users are being used to crypto mine. Denial of service attacks and botnetss. Your compromised site can be used as part of a larger network of infected machines, a botnet to launch attacks against other websites or services. Your site can become an unwitting soldier in somebody else’s war. And a new one, large language models, training and fine-tuning. Your site’s service processing power even though it is modest and is a CPU based can be aggregated with many others to contribute to an intensive computational demands that we need of well doing large language models.

This creates a vast distributed system effectively uh using the resources to allow them to use your site to power evil AI instead of chat GBT often without your knowledge. Then there is data theft and espionage sensitive data exposure. If your site stores user data, customer information, or even internal company documents, bad actors might want this. It can lead them to identity theft, corporate espionage, and selling data on the dark web. I think most people think of this when they’re thinking of things being hacked. This is one of the uh least likely things. Most uh bad actors do not know what data is on your site, and they’re not even looking at that data.

But it does happen from time to time. defacement, vandalism. Sometimes it’s just about making a statement and showing off or causing disruption. They replace your homepage with a picture of, say, a rubber duck wearing a tiny somber. Annoying, but often less destructive than many of the others. Finally, a less common but still present reason, grudge attacks, activism, sometimes called activism. This is where individual groups target a site for ideological reasons to protest or simply out of spite and malice. This sort of targeted hack is exceedingly rare and the vast vast majority of attacks are against targets the bad actor has no knowledge about at all. The sad reality is no one hacked your site. It was almost certainly an automated attack that had no human involvement other than hitting the enter key. Now, let’s briefly touch on the business of hacking because make no mistake, for many, this isn’t just some kid in a basement. It’s an organized industry at a colossal scale. And a huge amount of this is due to automation. Chunks of websites compromised aren’t targeted at all. Instead, they’re automated scans that look for vulnerabilities on millions of websites. If your WordPress site has outdated plug-in with a known exploit, it’s leaving your front door unlocked in a bad neighborhood with a giant come on in sign. Automated bots will find it and exploit it without any human intervention.

Then we have as a service models. Believe it or not, you can buy hacking service. Want to launch a DOS? Yeah, there’s a service for that. Need a list of compromised websites to sell? Sure. Here you go, you can find them. This lowers the barrier entry to really less technical individuals. When we use the word scriptkitty, we really aren’t doing it to mean somebody who is like a kid in a basement. We’re just talking about people who have limited to no technical skills. And all of this is based around the fact that the dark web exists and not just like it is in the movies. But dark web marketplaces do provide a place to do compromised data, access to botn nets, and even tools and exploits that can be bought and sold via forums. Your compromised site isn’t just a target, it’s actually a commodity. Consider this scenario and an initial ban actor may exploit a vulnerability on your e-commerce site, but instead of deploying a credit card skimmer themselves, they simply gain persistent access. This actor, essentially a digital key to your site, is then sold on the dark web to another party.

That second actor, specializing in financial fraud, then implants a credit card skimmer. The stolen credit card details are then sold on again, often in bulk to another group. This third group’s role is to validate the cards. They’re effectively testing them with small transactions to ensure they’re active. Finally, these now validated card numbers are resold in large batches to end users who then make well fraudulent transactions on them, completing a complex chain of exploitation that began with that vulnerability on your site.

So, while Mittens musings are safe from direct espionage, the site itself and the server resource it has are ripe for picking. Understanding why they do it in the first place is a crucial step to understanding how to stop them. It could often be hard to truly understand how many sites are hacked, but to put it in perspective, if cyber crime, of which hacked websites, makes the majority, were a legitimate industry, it would be the third largest economy in the world.