It’s not always about you. Sometimes hackers attack your network just to use it to attack other people. They’re not after your data or your money, and they’ll do everything they can to avoid you noticing so they can carry on using your resources.
This used to be about botnets – when hackers use malware to take control of your PC as part of a huge collection of compromised computers that they use to send spam, or carry out co-ordinated attacks on their unfortunate targets. This is still a risk, and it still affects everyone – but if you run a business there’s a much nastier version of the same compromise out there these days.
If you have a public-facing website with lots of traffic, you’re a target for two different exploits:
Firstly, if you carry advertising and aren’t too careful about which syndication networks you use, you can end up running ads that contain malware aimed at infecting your visitors. All of your carefully-crafted traffic generation just goes to help the hackers spread their nastiness more widely. Generally, you don’t know about it until some security researched kindly points it out – leaving you with egg on face.
If, for example, you carry ads from AdsTerra/Terraclicks, this could have affected you. Gumtree Australia, MSN, the New York Times, AOL, the NFL and lots of others were on the receiving end of a similar scam recently, too. It’s a growth industry, and the major players aren’t doing enough to stop it – because ads = money, and spending more time filtering ads = less money.
Secondly, and perhaps worse, if you use any one of a number of e-commerce platforms and aren’t scrupulous about keeping it patched up-to-date, the criminals can use known exploits to compromise your site and use it directly to infect your customers. You can’t even pass the buck for this one on to the ad-networks, so the reputation damage is more significant.
This happened to Maisto just this week. When did you last patch your website?
This is just another reason why you need to take cyber seriously – make sure it’s discussed at board level, and that someone in your C-suite (as the Americans put it) has direct accountability for information security. Don’t just leave it to your overworked IT manager, and don’t assume your webhost will do it for you, either.