Your Fly Is Open

Netmenaces and Other Internet Stupidity

Knowledge Problems

2024-10-22 3 min read attacks

I’ve been asked several times over my career, “What is the biggest security threat to small- to medium-sized businesses?”

Rather than choosing a standard answer like phishing or ransomware, I’ll say something completely different: people who think they know more than they do.

I’ve run into that several times lately.

As many of you know, I use some Google-fu each week to find compromised websites and try to contact the organizations to let them know so the owners can clean up their sites.

Recently, I tried contacting the owners of a compromised website through LinkedIn. After sending them several messages, they finally responded that they had “run numerous cybersecurity scans and found no threats.” I replied with a list of multiple URLs, leading to pages attackers added to their site.

All the pages added to their site suddenly disappeared, and I heard nothing else back.


Today, after exhausting multiple methods of contacting a different organization, I finally decided to give them a call. I don’t particularly enjoy calling people because it rarely ends well, but I was determined to get through to them.

I spoke to the receptionist and asked to speak with someone in charge of their website. She transferred me to a gentleman, and I explained that I was a security researcher who had noticed their site was compromised while investigating other hacked sites. He immediately got defensive.

I explained that attackers had added pages to their site advertising questionable things. “Like what?” he asked. I explained that the added pages advertised techniques for viewing private Instagram profiles, among other things.

I asked him if he could look at something in a web browser, preparing to give him a Google search string. He explained that he was “looking at the site right now” and saw nothing wrong. I explained that the attack was different from what he would see on the main site because attackers had added unlinked pages.

Then he hung up.

If you think you understand more about website security than you do, you’ll likely miss many things, like the fact that most website hacks aren’t easily visible. In this case, the attackers wanted these new pages to hang around as long as possible to get the SEO bump associated with having links on a popular web page. Of course, they won’t make it easy to spot the hack!

If you work in a small- to medium-sized business, you have so much on your plate that you can’t be an expert in everything. If someone contacts your company and tells you someone has hacked your organization, listen. Be skeptical—I would never say otherwise, but please listen.

You might find out something important.

You might find out that someone has hacked your website.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
October 22, 2024