• How do cybercriminals profit from infecting websites with malware?

    A guest post by Caitlin Condon, StopBadware’s raconteur

    We at StopBadware see a lot of hacked websites. We also get a lot of questions from webmasters who want to know why bad actors make it a point to hack legitimate sites. The primary motivator of malware authors and distributors today is simple: money. The more websites and computers the criminals infect, the more cash they make. To maximize infection rates and profits, the bad guys need to escape detection for as long as possible. One effective way to avoid detection and spread badware is to infect legitimate websites. The criminals can then leverage the resources and good reputation of those sites for nefarious purposes.

    So how exactly do the bad guys use infected websites to make money? It depends; the cybercrime economy is mature and complex, and malware distributors have a lot of methods for monetizing their trade. Often, infecting websites is only the first step in the process.

    Infected websites are frequently configured to serve Trojans or spyware that, once installed, quietly logs the PC owner’s keystrokes and sends that information back to servers controlled by cybercriminals. When users log into banking or other websites, the malware steals their credentials and sends them to the criminals. The bad actors can then access bank accounts or sell those credentials on underground forums.

    Another malware monetization method is the distribution of fake antivirus software. Bad actors compromise a legitimate website–say, by modifying the .htaccess file. Then, when Internet users click on search engine results for the hacked site, they’re redirected to a malicious website set up by the criminals instead of to the real website. When the malicious website loads, visitors see a pop-up that performs a bogus “scan” and informs them that their computers are infected with viruses or “security threats.” The fake scan results then prompt the user to enter a credit card number in order to download a fake security product. Voilá: money for the bad guys.

    A bit more complex: Malicious hackers find a security hole in a popular content management system, such as WordPress or Joomla. They use an exploit kit (a software kit that lets criminals automate and customize infection) that helps them quickly infect thousands or tens of thousands of legitimate websites with malware. The compromised websites unknowingly serve up a drive-by download to visitors, so their PCs are infected silently even if they don’t click on anything. Before long, the criminals have an army of infected PCs known as a botnet. The criminals can rent out the botnet to other criminals who want to do any number of nasty deeds: send out spam email campaigns, launch DDoS attacks, or spread other malware at will. Rental prices differ depending on the complexity of the task the criminals want carried out, but the result is the same: malicious actors rake in cash from exploiting legitimate sites and their visitors.

    Websites have become a favorite attack vector in recent years. When you look at all the ways the bad guys can use legitimate websites to exploit visitors and abuse their trust, it’s easy to see why. Fortunately, website owners can do a lot to protect their websites and their visitors by following some basic security advice. For website security tips and tools, see www.stopbadware.org/home/webmasters.

    StopTheHacker also has tips for webmasters…check out Website Security: What do I need to know? What do I need to do? –Part 1 and Website Security: What do I need to know? What do I need to do? –Part 2.