Website security is as critical to your business as having a website in the first place. Your website is typically a huge driver of sales and/or reputation management in the digital marketplace. If your website security is lacking, your site can be hacked and deindexed causing your traffic to plummet and your online presence to dwindle significantly.
Websites are hacked for a variety of reasons, and it’s not just the bigger, more complex sites that are targeted. Even smaller sites are valuable to hackers. They may use your site to exploit your visitors, steal information, abuse server resources, or just for the purposes of flexing on the upstanding citizens of the web.
There are many ways to hack a website. Today we’re covering URL hijacking and subdomain hijacking, common website security threats that diminish critical site traffic and tarnish your reputation with customers.
URL Hijacking
Cybersecurity has the best names for the many and various ways your business can be harmed by hackers. Case in point: URL hijacking is also known as “typosquatting.”
In a typosquatting attack, a crafty hacker takes advantage of common misspellings (typos) of popular sites. They register the domain name legally, then use it for a variety of nefarious purposes. A user craving a Big Mac might intend to type in mcdonalds.com in an attempt to locate the closest franchise. But instead they type in macdonalds.com or perhaps mcd0nalds.com.
In the best case scenario, the resulting site will be a big nothing. (mcdonald.com is just a notice that the domain is for sale). Or it might be a bunch of ads for a competitor like Burger King or a cause that has little to do with fast food.
In the worst scenarios, the site will mimic what you were actually looking for and trick you into giving up information or placing an order for a product that will never arrive. Some hijacked URLs push malware. And others are used for affiliate fraud and SEO spam (or spamdexing).
Subdomain Hijacking
Every website seems to have a few “unused” subdomains laying around. These are a website security issue because they present hackers with an opportunity for hijack or takeover. The way this works is a little complicated, but ultimately not that hard for a dedicated bad actor.
The first step is you creating a subdomain and setting its DNS record to point to a shared hosting account. Some time passes and the subdomain is no longer needed–the product is discontinued or a promotion or event ends, etc. In an effort to clean up your site, you delete the hosted setup. But you forget the critical step of removing the DNS entry from the shared hosting account. Now you’ve unwittingly created an opportunity for the bad guys.
Once the attacker has identified your abandoned subdomain, they link it to their own account. The shared hosting provider usually doesn’t validate domain ownership (it’s time-consuming). The hacker can’t alter any DNS records you’ve set up, but they can use the subdomain to redirect visitors to their web root directory.
There are a few other ways that hackers can leverage your hijacked subdomain. They can potentially read cookies sent from the main domain. They may also be able to circumvent content security policies (collecting protected user information like logins).
Or they may perform cross-site scripting–a process of injecting malicious code into a website and then using the website as a propagation method. The code is usually something that a browser can execute like HTML or Javascript.
Case Study: Snapchat
Back in 2016, whitehat hacker Jake Reynolds discovered a recently abandoned Snapchat subdomain. The company was in the process of rebranding to Snap and had deleted its Tumblr blog without fully finishing the necessary cleanup work.
Reynolds opted to actually hijack the page (in a very mild and non-damaging manner). Snapchat responded to Reynolds’ report within 4 hours, and the vulnerability was mitigated in less than a day. It could have been much worse!
Prevention
Good website hygiene should prevent most instances of typosquatting and subdomain hijacking. The tactics for each are a little different.
All websites need an SSL certificate. This digital document authenticates your site’s identity and enables encrypted connections. You’ll know a site you’re visiting has SSL when you see the padlock icon in the address bar.
To prevent URL hijacking/typosquatting, consider registering your domain as well as all of its common misspellings. Also consider buying your domain name with multiple different country code extensions (or ccTLDs).
To prevent subdomain hijacking, start by regularly validating your DNS records. For very small sites this can be done manually. For larger organizations, pentesting and reconnaissance tools can help you identify subdomains that could be taken over by hijackers. (This is what Jake Reynolds was doing when he discovered Snapchat’s abandoned subdomain.)
Above all, make subdomain and domain maintenance a regular part of managing your site. When you take down a relevant page, make sure to include an action item to delete subdomain records from DNS.
If you need help developing best practices for website security, call Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
