Blog

This is a single blog caption

Publishers, Have You Been Hacked?

Why do Hackers Hack?

Gone are the days when hackers were 15 year-old kids hacking into government sites from their parents’ basement just because they could. These days, hackers are skilled professionals with sophisticated plans and a plethora of hacking strategies to choose from.

Hackers hack because it can be lucrative. It is very cheap to hack using scripts and botnets. Even if the hacker’s programs only succeed in obtaining a small percentage of conversions, it still has a profitable payoff because they are infiltrating thousands of sites, email lists, forums or blogs. They use the scale of the internet, stealing resources along the way, to fuel their agendas and put money in their pockets.

And if you think for a minute that your website is not worth their effort, you are wrong. It may be as simple as using your website resources free of charge; they can host images on your server, or even send emails from your server. There are more sophisticated attacks where hackers will try to obtain personal information for identity theft, but sometimes they are merely looking to infiltrate your website content with their ads to make money on selling goods and services. Another reason they may attack is to inundate your visitors with political or terrorist jargon.

Recently, one of the publishers in the EHS Network was hit with a hack attack. This attack corrupted everything from the publisher’s database of subscribers, to ads on the website itself. The NHT (Non human traffic) of the site soared, there were hundreds of false opens and clicks in the enewsletters, and site visitors were hit by malicious popups and mysterious ads. In helping this publisher rid itself of the spam, we learned some valuable information that might be helpful to other healthcare publishers.

Red Flags that may Indicate Your Site has been Hacked

  1. Look at your email database, do you see a lot of false emails like these:
    • first and last name do not match name in email address
    • first and last name do not look like real names
    • first and last name might look like a name, but with two capital letters at the end: AdibulaparteRY
    • a lot of submissions from a strange domain name, some examples inculde: housecleaningguides.com, unisexjewelry.org, secondhandhomeappliances.com, mail.ru
  2. Are you seeing strange pop-ups on your site?
  3. Are you seeing ads on your site in places they shouldn’t be, or ads that shouldn’t be there?
  4. Are you seeing any other content on your site that you didn’t put there?
  5. Do you have a Non-Human Traffic (NHT) percent over 5%?
  6. Are visitors complaining about strange things when they visit your site – like malware popups?
  7. Heavy server load.

The publisher that we helped was using a WordPress site. There were several vulnerabilities in the site including the Sahifa theme, the Contact Form 7 plugin, and the MailPoet plugin. Although these issues had to do with WordPress, all platforms can be subject to hacking.

Spammy Emails in the Database

First, it is important to distinguish between spam emails that the spammers are sending to an email inbox versus hackers putting thousands of false email addresses into a legitimate publisher’s database. We’ve all received emails from spammers with nasty attachments that mess up our computer or the now infamous Nigerian emails characterized by a sad story and a big payout. However, it is the second form of spam – thousands of false emails into a publisher database that will be addressed here.

In the first hack, thousands of false emails were submitted into the publisher’s database, most likely through the vulnerable contact form. Fortunately, the publisher’s email sending platform (ESP), was not associated with the WordPress site. WordPress was simply the avenue by which the hackers could insert their false emails into the database and email sending platform.

Once the false emails were added to the database and the publisher’s enewsletters were sent, not only did the false emails show up as a “sent” and “received,” the spambot actually registered false “opens” and “clicks.” This caused significant data inaccuracy. It appeared that there were more people in the list than there actually were; open and click rates were driven down. This type of hack also makes it difficult to know who your real subscribers are.

What would be the point of spambots getting false emails into a database? Form spam is one way to compromise a site, with the spammer getting into any hole they can find. A compromised site means that the webserver is vulnerable and can be used to run malicious software, leverage the domain name, or possibly host content (malicious content might include ads, links to another site for SEO value, or radical political content). The server resources of a hacked site can also be used to send out spam emails.

In the case of our publisher, the false emails were placed into a database that was separate from the WordPress site, but the intention of this type of spam was not immediately known. One possibility was that if the publisher was using a WordPress add-on to send emails, by infiltrating the form, the spammer could then send emails directly from the publisher’s domain and WordPress site. Fortunately, this was not the case.

Unknown Ads Appearing on the Website

The second form of spam appeared on the actual website. There were two types of spam occurring. One was a popup window that displayed an ad about malware, the other were actual ads that looked as though they were part of the site.

HTML code was inserted into all of the pages of the website through one of the vulnerabilities, most likely it was through the Sahifa theme and/or the MailPoet plugin.

A benefit to the hacker might have been clicks into their website. Another might have been that clicking on the popups or links, would install malicious software on the visitor’s computer, making them vulnerable to identity theft and other evil things.

Each web page had to be cleaned of the malicious code. The theme was fortified and the plugin was removed.

Non Human Traffic (NHT) at an All-Time High

The NHT on this site was over 20%. It didn’t get to 20% overnight, it crept its way up, so it was difficult to detect that there was a problem with it. As the site was hacked more and more, the NHT grew. Once the site was cleaned up, the NHT dropped below 3%.

How Can You Prevent a Hack Attack or Spam Infestation?

Spam on a website is like an infestation of roaches, once they are on the site, it may take more than one fogger (or sleepless night) to get rid of them!

Here are some of the holes you may need to plug:

  • vulnerabilities in the hosting platform
  • an insecurity in a theme
  • vulnerable plugins
  • weak passwords

Other considerations:

  1. Keep WordPress or any other platform, themes & plugins all updated. Rather than removing the Sahifa theme, we simply updated it and installed more security measures.
  2. Make sure your forms are secure, do the research on the form you have chosen to be sure it is not vulnerable. For our publisher’s WordPress site, we chose Gravity Forms with CAPTCHA over Contact Form 7.
  3. Change passwords frequently.
  4. Lastly, install beacons or alerts to let you know if your site has been compromised.

Sources:
About Fake Signups

What Hackers Do With Compromised WordPress Sites

Why Do Spammers Attack WordPress Sites?

How WordPress Sites Get Hacked (And What to Do About It)

Leave a Reply