May 23, 2016 7:24 AM / by Joshua Ballard
Asking this question is a perfectly natural response.
In fact, as you will learn, it a very necessary question to ask.
Often in life when something horrible happens, we urge ourselves to stay away from such questions as “why would this happen”.
The difference being, often when something horrible happens it is the result of an accident.
In this situation, it is not an accident.
Someone has purposefully gained access to your website and altered it.
Understanding why they would want to do this, and why they would want to do this to YOUR site, is a crucial step in detecting, removing and protecting your site both now and in the future.
Why Your Site in Particular Though
You may be thinking (as I was) that there could be no possible gain in someone hacking your website.
The first thing you need to understand, is that a cybercriminal can gain quite a lot from hacking any website.
We will go over some of the motivations that may have caused this a little further down.
Let’s first of all make sure that you understand why your site in particular was targeted.
Human psychology is inherently hardwired to assess action from correlating stand points of:
- Risk vs Effort vs Reward
Hackers who decide to break laws know that they are taking a risk. The very nature of a criminal mindset entails that they do not view this as a:
‘Should I break the law’, rather as a ‘what are the chances that I will be caught if I break this law’ as well as ‘what are the ramifications of being caught breaking this law’.
The risks of hacking some sites are always going to be higher than for others.
Depending on the layers of security and detection involved, the chances of them being exposed increase.
Chances are, in the case of your website, they have calculated that the chances of them being caught and severely punished for the hack are rather small.
Some sites are always going to be easier to hack than others.
Digital security and level of protection are essentially a commodity that can be purchased.
People who assume that their website is not worth hacking, are less likely to be investing in protective factors. Often because they perceive that protective factors come in a one size fits all price category, and that this is an expensive product to purchase.
If a hacker has decided that your site is going to be particularly easy to penetrate, then this may get you onto a shortlist of candidates.
Dispel any assumptions that you have about what possible reward they could glean from hacking your site.
The reality is they did, and if they didn’t have any direct motivation to do so, they probably wouldn’t have.
There are many valuable metrics that your website has that they may be trying to glean, such as:
- Your website traffic
- Your website authority within Google
- Your website Data
Further down we will go into much more detail about why they may have hacked your site, and then further down again we will discuss what they will have done in each scenario, and how you can find the changes.
Assessing Risk vs Effort vs Reward
Narrowing the hacker’s cross hairs from the estimated 1 Billion web pages on the internet, down to yours has everything to do with how your website correlates to these three factors.
If we start with the assumption that their risk of direct punishment relating to hacking your website is assumed to be 0 (I explain the reason it is 0 at the end of this post), then it becomes more of a discussion of effort vs reward.
Assessing the effort required to hack your site is a simple process of examining what protective measures you have in place, and what known weaknesses you are exposed to.
Protective measures can include:
- Website firewalls
- Hidden Admin Panels
- Dedicated anti-hacking software
Known Weaknesses can include:
- Outdated plugins
- Third party applications with a known security threat
- Knowledge of existing passwords
The next step for a would-be hacker is cross referencing the reward they expect to gain, against the effort required to hack your site.
To have a more visual understanding of this decision making process, let us assume the effort factors and reward factors can each be quantifiably measured on a scale from 1 to 10.
We could then be left with a graph that looks much like this:
As there is likely to be an escalating difficulty level as the reward level goes up, the golidlocks zone would sit roughly in the middle.
The goldilocks zone references the idea that when facing three options, of varying parameters, that there must be a point in which one of the options is “just right”.
The website is neither too difficult to hack, or too worthless to hack.
What on earth allowed them to spot your vulnerability?
This may still be a lingering question in your mind.
For them to even check how vulnerable your site is, and then check how rewarding a hack could be, they would need to actually find your site and have a look right?
Let’s start with a basic premise:
They are going to select their next hack on a known wordpress plugin that has a vulnerability.
If they know the coding represented by that plugin (which they will) they can perform a search for every website that currently has that plugin.
This can get you on a shortlist.
Depending on what reward they are looking for, they can then filter that list by desirable metrics such as:
- Estimated traffic flow
- Authority of the Domain in Search Engines
This shortens their list of candidates further.
In short, you can be singled out and placed on a “to hack list”, however, the best way to avoid ever being on one of these lists is to take precautionary steps for next time.
In the next section, we will cover some of the reasons that a hacker may be choosing their victims, and what rewards they potentially stand to gain.
Why would the risk be 0 though?
Most hacks come from a different geographical region, using networks that either cannot be traced, or that lead nowhere.
Giant corporations, and even governments often cannot track down or pinpoint who exactly it was that breached their security protocols.
The idea that a small business could do what a government cannot, is ludicrous.
The compounding problem is that even if you narrowed it down to one individual, you would have no real legal means of retaliation or justice seeking.
Different region means different government, a different government means a different legal institution.
Even without contemplating state sanctioned cyber espionage, you need to just accept that wherever the hack came from, it is quite likely that they are both digitally protected from being found, as well as geographically unavailable for prosecution.