Top 5 Ways Hackers Hack Your Website During Thanksgiving Sales & How To Prevent Them
Thanksgiving sales have become a big hit online. Customers get to see multiple brands and browse amazing offers just by clicking a few buttons. Most importantly, no more standing in queues and hopping stores. For businesses too, this entire online thanksgiving sales have opened new set of opportunities.
For website/app owners with this ease of running sales online comes a responsibility too. It is important to assure that your end customers do not get hacked as they trust you with their credit card information, address, phone details etc.
Top 5 Ways Hackers Can Hack Your Website/App This Blackfriday:
Known Vulnerabilities: A website owners’ neglect is a hackers biggest asset. If you are using a CMS like WordPress, OpenCart, Magento, Joomla, Drupal etc. then you need to make sure you are using their latest version. These CMSs have known vulnerabilities which hackers often exploit.
A couple of years ago, Shoplift vulnerability was found in Magento stores. This vulnerability allowed hackers to remotely create an admin user in every Magento store. After Magento released an advisory and patch, still thousands of stores failed to install the patch and remained vulnerable. It is advisable to verify the extensions you use as a lot of times hackers exploit vulnerabilities in these loosely coded extensions.
- Choking Your Resources: A classic Denial of Service (DoS) attack. Hackers have a network of hacked servers and computers at their disposal. They use this army of bots to send huge amount of traffic to your website/app. This causes too much stress on your servers due to which legit customers get blocked out of the website. Key is to make sure you use a CDN and assure that all the ports not in use are stopped. Having a firewall goes a long way.
Creating Fake Pages: You need to be extra careful on the areas where you give users an ability to fill forms and create pages on your website. These are the areas from where hackers can either:
- Insert malicious links in your website:
- Create legit looking malicious pages: Similar to creating links, if you allow user profile pages or affiliate pages on your website then hackers often sign-up there and then create pages which look similar to your web UI. Then they point potential victims to those pages.
Targeted Attacks on Employees: It is a common saying that humans are the weakest link in any security mechanisms. Hackers often use social engineering techniques to extract information our of your employees. To hack your web apps during thanksgiving, hackers plan social engineering attacks weeks in advance. They get into your system by hacking employees but stay low. During thanksgiving they start their attacks. Be sure to circulate these tips in your organization to prevent being a victim of social engineering:
- Click Links in Incognito: This is the most used trick by hackers to lure you into clicking a malicious link sent by them. Once you or your team that has access to your website clicks this link, they get compromised and hackers can take over your website too. It is recommended that links coming from outside sources are first clicked in incognito or in a sandboxed environment.
- Do Not Trust Attachments: Often hackers use legit looking attachments to hack end users. These attachments could be in PDF form or images and open just as they should. But often come appended with a malicious code which runs in the background to compromise security of end user. Attachments should not be downloaded on PC, rather they should also be opened in a sandboxed environment.
- Use Email Scanners: It is recommended to have an organization-wide email scanner. Email scanners like these scan every email for malicious attachments and links. Avast, McAfee and Norton come with such solutions.
- Website Vulnerabilities: According to a recent survey by Trustwave, 97% of the websites have atleast vulnerability. Now, you might have taken care of all the above mentioned loopholes but hackers can always exploit a vulnerability in your website and get into it. These days apart from the core CMS, there is a lot of custom development that goes into the website. You don’t know which piece of code is vulnerable and attracts guys with malicious intent.
It is highly recommended to get your website hacked before hackers do! What I mean is, get a security audit done for your website where ethical hackers try and find all the vulnerabilities in your website before malicious hackers do. This way you get enough time to fix them before bad guys come looking for them.