The Banality of Hacking

Occasionally, I have to call a client and tell them they’ve been hacked. It’s not anyone’s fault, really. Most large companies have extensive legacy websites and systems. Like layers of habitation in a bronze-age settlement, websites build up over time only to be forgotten when the next development cycle rolls around. My team was once asked by a Fortune 500 company to compile a list of all the sites they were currently hosting. Their marketing and technology teams knew about less than half the sites on the list. One division had three sites for the same product that had been created under three different regimes. Unsurprisingly, in an environment like this where no one is maintaining the sites and applying the latest security patches, they had been hacked. “You’ve been hacked.” It just sounds bad; like a painful and florid rash in the most private areas of your business. Some clients react badly. Partly this is the result of the news media portraying hackers as vindictive nerds bent on destruction of reputations and property or cyber terrorists from rogue nations. Shockingly, the news media seems to have exaggerated this story for dramatic effect. (Shockingly.) Chances are, when you’ve been hacked, it wasn’t by denizens of 4chan or members of the highly sophisticated Chinese hacking group Deep Panda. (Although the name “Deep Panda” for a Chinese hacking group is unbelievably metal.) Chances are you’ve been hacked due to a very common, well known security vulnerability by someone who’s just looking to earn a couple dollars through click fraud or spam. Many hacks are a little bit dumb and a lot boring. Most hacking is banal. Less “Evil Genius” More “Scrappy Entrepreneur” Hacking is wrong. You shouldn’t hack other people’s websites. Because they don’t belong to you and it’s sort of rude. That being said, hacking happens because there’s money in it. Not “selling industrial secrets to the Chinese” money. More like make a couple cents posting links for cut-rate Viagra on someone’s unprotected WordPress site. In a business environment in which reputable companies are paying for traffic and links of dubious origins, it’s hard to get too upset about the evils of this type of hacking. In practice, it often looks like this: the hacker (used here in the loosest sense of the term) downloads a script from a dark web site that exploits a known vulnerability in an outdated version of an internet technology (like an outdated WordPress or Apache install). The hacker then sets up the script to randomly scan for vulnerable websites knowing that a certain percentage will be using outdated technology with known vulnerabilities. Once they establish vulnerability to their script, they hijack a portion of the site in a way that might be invisible to an unattentive system administrator. Then they use the website as part of their “zombie army” of similarly infected systems to make money. Zombie Army?!? This sounds much cooler than it is. In practice, this just means that the hacker is able to use the website to make some money. They can perform link fraud (adding a lot of hidden links to game Google’s search results) or Denial of Service attacks (shutting down other websites by making too many requests to the server) or some similar mindless activity. The hacker is not personally hijacking and manipulating servers individually because that would be inefficient. The whole point of the zombie army is that you can automatically direct huge numbers of infected systems to perform some simple task. So how much can they make by hijacking websites? Not very much. In order to make these activities profitable they need to be done on a massive scale which means that it is very much not personal. The hacker who has infected your website may not be aware of you as an individual at all. You’re just one IP address among thousands. Of course, if you work for a defense contracting firm or Apple or the research department of a major pharmaceutical company or Goldman Sachs, being hacked probably is personal. Sorry. But everyone else has just fallen victim to a scrappy entrepreneur with a Tor browser and dreams of unearned riches. It’s not personal. But it is a little tiresome.