Hollywood would have you believe that most websites are hacked by hoody-wearing teens from their bedrooms, or by a shady-looking man from a basement. The reality is different from the movies: many websites are breached by highly organised criminal gangs using sophisticated techniques that evolve as quickly as the defences against them.
Worldwide, cybercrime is on a dramatic rise. Its global cost is expected to surge from $9.22 trillion in 2024 to $13.82 trillion in 2028. And as more people come online there are increasing opportunities for criminals to exploit, destroying data and stealing money, personal information, and intellectual property. One in two businesses reported a cyber breach or attack in the past 12 months, according to a UK government survey.
In line with this trend, WordPress websites are an increasingly popular target. The widespread use of the platform – it powers over 40% of websites – makes it an attractive target for malicious actors. It’s estimated that a WordPress site is compromised every nine minutes on average.
The hacking underworld
What was once a disorganised landscape of individual hackers motivated by everything from financial gain to the pursuit of notoriety has evolved into a fully-fledged marketplace complete with buyers, sellers and middlemen. Today, hacking is a multi-billion dollar business, complete with its own R&D budget and corporate structure.
Hacking forums and marketplaces have emerged on the dark web – the part of the internet intentionally hidden from standard browsers and search engines – offering everything from hacking tutorials and tools to hacking services for hire and bundles of stolen data from previous breaches.
The players
On the supply side are the hackers themselves – tech whizzes motivated by everything from financial gain to political causes to the pursuit of notoriety. While some are self-taught freelancers, others operate as part of organised groups leveraging their combined resources and skills.
Individual hackers often work for themselves or on the client side take on freelance jobs for individuals or small businesses. This might include small-scale identity theft, fraud or website defacement. Or sometimes they may be recruited for black hat SEO – using their skills to game search algorithms such as with keyword stuffing or creating networks of websites that link to one another to boost rankings.
With more resources and specialised skills, larger groups often take on more complex projects with bigger targets and potential pay offs. Their clients may include criminal gangs, nation states or large corporations. And their work may include carrying out large scale data breaches of major companies, stealing sensitive data, conducting corporate espionage, or state-sponsored cyber-attacks, for example.
No matter who the client is, they can easily find and hire hackers through the growing number of dark web forums and marketplaces that have cropped up which offer anonymity and enable illicit transactions.
It’s important to point out that not all hackers’ work is for nefarious purposes though – some larger companies work with ethical hackers on bug bounty programmes, encouraging them to find, report and fix security flaws before malicious hackers can access them, for example.
The middlemen
Sitting between the cybercriminals and their clients these days there is often a tier of middlemen who act as intermediaries. Sometimes referred to as ‘initial access brokers’, these cybercriminals play an important role in the modern cybercrime ecosystem. They often specialise in gaining unauthorised access to networks and systems, which they then sell on.
The emergence of these brokers has been significant in the world of cybercrime, representing a shift towards a more specialised and professional system. It has also lowered the barriers to access, allowing actors with a narrower range of technical skills to carry out attacks. It also complicates efforts to defend against cyberattacks and investigate cybercrimes.
The economics
The pricing models for these hacking services range from flat rates or monthly/annual subscriptions to “pay-per-hack” models based on the target’s size, complexity, and value of the data being sought.
Factors like a website’s defensive countermeasures, integration with cloud services or third-party apps, and overall size and complexity of its infrastructure can drive up the hacking fees.
But it might surprise you how low entry point prices are – just $15 will buy a hacked credit card with a CVV code. For little over $100 criminals can buy databases of hundreds of emails or compromised online banking details. A website can be hacked for under $400 on average and custom malware created for just over $300.
Bitcoin and other cryptocurrencies are commonly used for payment to preserve anonymity. And money trails can be further obfuscated by middlemen.
The tactics
The strategies deployed by hackers can be both brutally simple and incredibly sophisticated. And they are also quick to evolve, with malicious actors caught in a continual game of cat and mouse with the security countermeasures deployed against them.
Social engineering is one common ploy, where deception is used to manipulate people to reveal sensitive information or grant access – think phishing emails claiming you’ve won competitions or owe someone money. Increasingly, AI is being used to write ever-more convincing emails, making the deception harder than ever to discern.
Once your information has been stolen it can be sold on the dark web to be used in a number of ways – perhaps your financial information could be used to buy things, transfer funds or open new accounts in your name. Personal information like date of birth and address can be used to create fake identities, or apply for loans. Or perhaps cybercriminals might opt for an entire account takeover of your email, social media or financial services.
These dodgy emails can also be used to distribute malicious malware to infect systems, steal data or gain control.
Other methods focus on exploiting vulnerabilities in the infrastructure itself. This includes network attacks, where weaknesses in protocols or configurations in servers, firewalls, computers, routers or any other connected deice can provide a way in for hackers. Software attacks meanwhile see criminals gain access through bugs or flaws in software code.
Bots are commonly used across these methods, spamming and phishing accounts, spreading malware, and scraping data, for example. Bots can rapidly try numerous password combinations to gain access through brute force. And they can turn entire systems into zombies under their control – known as botnets – which can then act on mass to carry out large-scale attacks that can overwhelm websites or networks.
Bots are also ideal for carrying out non-targeted attacks on whichever victim they can find – scanning for and exploiting known vulnerabilities in sites like WordPress, as well as their third-party plugins.
Evading justice
As hacking becomes a more sophisticated industry, hackers are also constantly innovating to find new ways to evade detection, maintain anonymity, and cover their tracks.
Middlemen may be a ‘physical’ barrier but there are plenty of technology tricks they can employ as well. This could include using multiple proxy servers, VPNs and encryption which work to mask identity and location. Meanwhile TOR – or onion – browsing protects hackers against web traffic analysis and network surveillance by encrypting data in multiple layers and routing traffic through a series of nodes each of which only knows the node before and after them and not the entire path.
The aftermath
For targeted organisations, being on the receiving end of a successful hack can have devastating consequences. Beyond the immediate financial impact of theft, ransomware demands or legal penalties, there’s the often irreparable damage to a company’s reputation, consumer trust, and brand value.
This can be particularly damaging for small and medium businesses, which are often a favoured ‘easy’ target for hackers as they often lack the sophistication and defences of larger organisations.
So, website owners need to stay ahead of evolving cybercrime tactics by rolling out defences on multiple fronts – shoring up technical vulnerabilities while also guarding against human errors that open the door to crafty social engineering attacks. This includes keeping software updated, controlling access, using secure third-party plugins and applications, and ongoing security awareness training to prevent social engineering attacks that exploit human error.
It’s easy to fall into the trap of thinking it won’t happen to me. But as shadowy underground markets grow, no business or individual can afford to ignore the threat. And in this continual arms race, staying vigilant is imperative. So, instead, next time you log on, pause and consider who could be watching.
