Bloggers & small business sites a target for cyber-criminals
Press Release
Bloggers and Small Business Sites a Target For Cyber-Criminals.
23 May 2013
There’s a gaping hole in cyber-security, and once again, the ‘little guy’ is at risk.
Experts warn Australians using Wordpress or similar sites about the risks of being hacked by cyber criminals unless they bump up their safety measures.
“Small businesses and bloggers often don’t have the money to invest in online safety – and also believe their small site or blog is ineffectual, when in fact its resources make it a prime target for hackers,” Online expert Daniel Smith says.
These warnings come as part of Cyber-security Awareness Week 2013, and follow the world’s biggest ever Wordpress and Joomla attack last month.
Mr Smith says the event demonstrates the ease with which small sites can be easily infiltrated and used to make a big impact as part of a systematic attack.
Wordpress currently powers over 60 million websites and is read by over a quarter of a billion users every month. Wordpress and Joomla were recently attacked by a botnet of tens of thousands of individual computers. The botnet targeted users with the login "admin", trying thousands of possible pass words.[i]
Mr Smith says accessing sites can be easy if pass-phrase security is lax, particularly when the user ‘admin’ is used.
“I liken it to a locksmith with a whole set of generic keys - he can turn the keys in many doors until he finds one that fits. Hackers have common pass word ‘keys’, and they roll trials of these words until one unlocks the computer, and enables them to use the resources that power the site which are far more than could be gained by a singular desktop computer,” he explains.
He says the ramifications for individuals and businesses who become part of a botnet are loss of data, loss of secure personal information and break-down of the site.
“I know victims of who have had to close their business down because they have lost so much information without having any backups,” he says.
But he warns, hackers don’t always delete the information, but may leave it intact, putting in files in back doors so that they can go undetected - making use of these resources again and again.
“Hackers can on-sell information to fraudsters, cyber-terrorists or spammers, and can also on-sell the entire botnet to be used in a distributed denial of service (DDOS) event,” he cautions.
A national credit expert warns fraudsters can use the information to commit identity theft – the fastest growing crime in Australia.[ii]
CEO of MyCRA Credit Rating Repair, Graham Doessel says information like dates of birth, account numbers, full names and other personal information can be used to steal your identity and take credit out in your name.
“Fraudsters have been known to go so far as to take out personal loans, credit cards and even finance homes in their victim’s name,” Mr Doessel says.
“Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.”
Defaults remain on the credit file of individuals for between 5 and 7 years.
“In the past it has not been easy for identity theft victims to prove they didn’t initiate the credit, particularly if they have no idea how they were duped in the first place. Often not much of a trail is left and prosecutions don’t come easily,” he says.
Both Smith and Doessel say prevention is key, and recommend you make some simple but important changes to the way you log in to your Wordpress or other sites:
1. Use secure pass phrases. Come up with a unique scheme that is a minimum of 8 characters long – for example every 3rd vowel could be a number or symbol and you should always add some uppercase letters, numbers and any character that requires the shift key to type. Use multiple words in a pass phrase. You could use two unrelated words which are memorable to you
2. Use a different pass phrase and user for each account
3. Use a unique user name – not the default setting. Never use ‘admin’ as a user name.
4. Minimise login attempts. Restrict the number of attempts to access the site before the user is ‘locked out’
5. Include a 2-step verification plug-in. You can download a plug-in which requires 2-step authentification similar to bank requirements when logging in to the site. This is harder to infiltrate by hackers, but Mr Smith says many don’t use 2-step verifications because they seem inconvenient.
“We may need to get a little inconvenienced to prevent what could be a personal or business disaster, or in worst case scenario, a future global disaster,” he says.
MyCRA is a partner for Cyber Security Awareness Week 2013 - an Australian Government initiative through Stay Smart Online, to help Australians using the internet – whether at home, the workplace or school – understand the simple steps they can take to protect their personal and financial information online.[iii]
To stay one step ahead of fraudsters, you can subscribe to Stay Smart Online Alerts at no charge - which lets you know about cyber issues as soon as they unfold http://www.staysmartonline.gov.au/alert_service.
[i] http://www.bbc.co.uk/news/technology-22152296
[ii] http://www.crimecommission.gov.au/publications/crime-profile-series-fact-sheet/identity-crime
[iii] http://www.staysmartonline.gov.au/awareness_week
ENDS