How much will it cost to compromise Amazon? Several million GBP, moreover you will need time, excellent technical skills and a bit of luck. Not many Black Hats have the necessary skills, time and resources to launch attacks against the biggest players of the e-commerce industry, therefore they prefer to compromise a dozen small and medium online shops per day and get their money on the “every little helps” principle.
How will they find your website in the Internet? Easily - Google is the best friend of hackers. Robots, hidden behind millions of proxies, are crawling World Wide Web in the 24/7/365 mode to find outdated versions of web application software or to bruteforce default and weak passwords.
In untargeted attacks, hackers make money on very large quantity, not quality. I will not even mention all the goals the hackers may have for hacking your website as, besides banal theft of your databases, they are infecting your website with malware to conduct drive-by attacks against your website visitors and turning them into zombies to perform DDoS attacks, up to creation of hidden sections with illicit content - for which you may be held responsible.
Web applications are one of the easiest and most popular attack vectors used by hackers today. During the last three years High-Tech Bridge Security Research Lab has identified almost one thousand vulnerabilities in commercial and open-source web applications installed on tens of millions of active websites.
Unfortunately, hackers have much bigger resources and predictable ROI (Return On Investment) that allow them to achieve much more impressive results. The number of web security incidents permanently grows, while quality of web application coding and user awareness about security doesn’t follow fast enough. Remember that Black Hats may always select your website as a target, moreover one day they will do it, so it’s only a question of time. After a brief overview of attackers’ motivation in this first part, we will have a look on the most common web hacking techniques, countermeasures and investigation process in the second part.