Transcript

Maciej Nowak [00:00:16]:

Alright. So hi, everyone. Thank you very much for coming in such a big number. When I was preparing for the presentation from, you know, how to talk and everything, so what I heard is, you know, if you are stressed, don’t think about that you are stressed, think about that you’re excited. So I haven’t been so excited, you know, for a long time. So, thank you very much once again for coming. And the reason I wanted to talk about, security is because we come across day after day, you know, on websites that are with malware, basically, or that they that they are hacked. So I thought, you know, there are security talks on every word camp and I wanted to raise awareness about, you know, the practices that will keep you, sleep tight at night, you know, that you will you will be safer.

Maciej Nowak [00:01:09]:

But it has to start somewhere and that somewhere is at the beginning so that I want to raise awareness about being more proactive in protecting your website. Not only building the website and that’s it, but rather what can you do to make your website protected and and safe? There is saying that there are only two kinds of people. They are those that are doing backups and that and those who will be doing backups. So I think this is similar situation with security and, it works. It doesn’t work.

Maciej Nowak [00:01:46]:

So few things about me: I’m ex- iOS developer running an agency now. So there is, like, a bit of a transition. We are on the market for twelve years, and, I have also a podcast. And after hours, I run, read books, and my recent passion is Brazilian jiu jitsu. I saw a gentleman here with a Brazilian Jujitsu hoodie, so, I have to find that person, to talk. What we will talk about today, intro that’s done. We will talk about a little bit, motives for hacking. So you have a why would anyone want to hack your website? So we will talk about, those motives a little bit.

Maciej Nowak [00:02:27]:

We will also talk about, some infections that I can share with you. What are the sources for for those attacks, what are the reasons, it is even possible. We will talk about, also, what are those practices that, that I mentioned, a little bit about OWASP and what is it and we will recap. So what are the motives for hacking? And before we start, I would like you to raise hand, please raise hand if you have ever been hacked for or your laptop or your website. So I’m very curious. Alright. So it’s like 50% of the of the room, which is, you know, a little bit scary. So the other ones who didn’t try scanned, you are probably in the queue or maybe not.

Maciej Nowak [00:03:21]:

Alright. So let’s talk about motives for for hacking. So obviously, that’s financial gain, This is data theft and data now data is money. So you can also merge those two with, you can sell the data later on. Malware distribution because you have to have, you know, that network that can, deploy malware to your website that will, you know, make the website, infected, but also, you know, the compute power to do these things. Hacktivism. So we don’t like someone, so we will hack your their website. Cyber warfare, and this is very prominent when war in Ukraine started.

Maciej Nowak [00:03:59]:

You could see anonymous, group hacking this government website, that government website. So this is also falling into hacktivism, but also cyber warfare a little bit and and governments doing this with famous, plants in Iran, breaking because of the of the hacks on hardware, on, on on on plants, reputation and challenge. So, I can do this. So I will, and espionage. This is not probably applicable to our case and personal vendetta. Please be kind to your colleagues. Now, let’s talk about, first four because other ones are not very applicable probably to our group. Let’s talk about financial financial, gain data theft and malware distribution.

Maciej Nowak [00:05:03]:

What are the ways you can gain financially from attacking a website? First group that is most, let’s say, on on the spot are all of the ecommerce platforms because there is money going through the ecommerce platform. There is a lot of AdWords, that are driving traffic. So there is there are a lot of customers on those websites and wherever there is money involved, this is this is like a honeypot. So you can think about credit card skimming and these kinds of hackers group are called in asset group MageCard. So it comes from Magento. This was originally initiated through Magento and is, like, spreading to another e commerce platform. So this this software that lets you, hijack credit card number and then you can either sell those credit card numbers or you can use them to, you know, to do this on your own. Also, ad fraud, which means you have ads for stuff that is, you know, scam and then that financial gain is coming from the scam product that you, that you purchased.

Maciej Nowak [00:06:17]:

So in fact, the website put some fake banners and someone is buying, you know, US visas and and to gain you gain financially. Crypto jacking, so injecting, for example, JavaScript, miners on your website. So whenever someone enters your website, JavaScript code runs on your laptop, your, CPU goes and you are mining Bitcoin for someone or any other currency. So it’s like offloading CPU compute power to your local machine so that someone is benefiting from that. It’s like distributed network, through through those machines. And this is not infection of your laptop. It’s just you are you are, renting your CPU for someone else’s benefit. Phishing, campaigns, which means you can share data that will be used later on to hack you.

Maciej Nowak [00:07:14]:

Banking is very prominent example in this, but it doesn’t mean if you enter a website, regular WordPress website, you know, company website, you can be presented, fitting page or your website can be a source, like a hosting for those pages to be presented somewhere else. So, again, it’s like overtaking infrastructure for, how to put it, like for, for other benefits, like, for example, displaying those phishing pages. Fake product listings. So, again, you are buying something that will never never arrive. SEO spam, you are when you are infected, for example, there are links and backlinks directing to other websites and you are losing your reputation for someone else, gain reputation of your website. So if you have high ranking, good reputation of of the website that is stolen from you, you will lose your reputation and someone else will do this. It’s like, you know, black SEO, but even more black than than regular black SEO. Payment gateway manipulation.

Maciej Nowak [00:08:23]:

So you can be hacked and the details for the, like, the money can be offloaded to someone else. So it’s not only, like, credit card theft. The payment can be manipulated even if it is a bank transfer to arrive somewhere else, not to the recipient you are thinking, will get that, but to someone else in a hacker in this way in in this. Cookie stuffing, and this is interesting because if you it’s it’s very common as common as SEO, manipulation. When the website is hacked, you click a link and then there is like six seven pages opened in a cascade and every load creates a cookie and those cookies are, valuable for hackers or bad people because they can be assigned to a purchase or affiliation or whatever. So there is some some benefit in doing this because with a mass scale you you’re going massively, in this kind of activities. Exploit. So this is again gaining a network of of infected machines which host malicious code that can be then later, sent or injected somewhere.

Maciej Nowak [00:09:42]:

So this is part of the automation when bots are scanning the websites, find vulnerabilities, and the code has to be deployed from somewhere. So the infection has to be, you know, it’s associated with the code. And this is like hosting, of code that is injected into into a website. Now, I will show a couple of examples of websites that we came across and, you know, when when taking over of websites of our clients. And, first case, it’s a big government organization. This is very big government organization. And the situation we we had with them is that, they were, infected at some point. They have 15 websites.

Maciej Nowak [00:10:32]:

So that organization has different 15 different websites for different departments or different initiatives, and they were all hosted on AWS LightSail server, which is important because LightSail in their configuration didn’t have any separation between those websites. What happens is if you have a website on a server that that has no separation between those websites, if you have more than one, you will have to clean all of them. So it’s like you have a basket of eggs and you lose that basket and all of the eggs are are are are cracked. So, how was it possible? There was no separation of domain of websites. We don’t know what was the original attack vector, but within 15 WordPress websites, none of them being, updated on a regular basis, done by myriads of agencies, across the years, there is, like, no way of knowing who is the culprit. Right? But at the end of the day, we have to, manage the mess and, what what’s interesting also is that they were not infected to gain financially. The the the website got deleted over and over. So the website went down.

Maciej Nowak [00:11:55]:

There’s no website. Okay. What what do we do? We restore from backup. Right? And we cleaned all of the those websites manually. It’s a pain. It’s a huge pain, to clean them, if they are, you know, different versions. There there there is a bit the big chaos there. And, we scanned them with two scanners.

Maciej Nowak [00:12:17]:

We put them back and they got infected again. So we clearly either missed something or there is the hole is deeper down on the, on the WordPress, let’s say, level or there is something very custom on one of those 15 websites that lets those attackers enter. Or someone at the government organization is hacked and, you know, hackers know their login details and go as admins over and over again, even though we, for example, changed password. So what we are what are we doing right now is we are moving them to a server with, domain separation so that we can pinpoint which website is, letting the hackers into their, premises, let’s say, into the server so that we can, find the root cause for that. No other way around this. Below you can see a code that is you know, if you see some something like this, this is certainly malicious because it goes to the top of the of the server infrastructure and and and searches for index and wp config files so that you can get access to, to the, you know, to the settings of of WordPress website and you can impact that, other websites. Right? So you crawl all of the, folder tree being in one website looking for other websites. Right? So you you have a look like a helicopter view on the whole, website structure.

Maciej Nowak [00:13:55]:

Case number two. It’s an ecommerce platform. We are taking over that ecommerce platform. Update policies on demand, which is very rising, rising an alarm, but, you know, we can’t do anything about it. It’s, you know, client decision. And, we are in a situation when the last update was done four months ago. And what happens? You know, what how did that infection started? There is a vulnerable plug in, installed in this website. Wordfence and Patchstack releases a memo on their website that there is a vulnerability in that plugin, and this is fixed.

Maciej Nowak [00:14:37]:

So the WordPress community, please update your vulnerable plugin. This is a patch or, you know, this is fixed. Please please do this. What happens three days later the website got infected through that exact plugin. Now, is the web is the, Patch Stack or WordBench to blame? Obviously not. They the way they do this, is they contact privately the, plugin makers. They say to them, there is a vulnerability. You have to fix it.

Maciej Nowak [00:15:09]:

We are waiting for you to fix. Plugin maker fixed the plugin. It’s officially available for for updates. It’s available for auto updates as well. So Wordfence and, PatStacker are releasing the memo so that everyone goes and updates the plugin. Now if the client doesn’t update and hackers know about this, you can, make a diff on the code. You know exactly where is the problem and you know how to hack that website. Right? So it’s like a double edged sword.

Maciej Nowak [00:15:38]:

All of those, security updates are double edged sword because you know then how to hack a website on that version. Right? So, you have to be aware that, you have to be updating the plugins as soon as possible before those releases, are are, are released because otherwise it’s like, alarm on a loudspeaker, you know, there is a bug. Right? There is a bug. What happened also that went unnoticed is that the, nothing happened because the the hacker got access to the website and created Wordfence admin user, which is most funny because Wordfence is a very known, you know, word in WordPress word and can got unnoticed. We have cleaned the account and and the client decided to do updates, more often on a regular basis. Oh, sorry. This is old presentation or I didn’t update the the title. So another, example is very interesting because this is a little bit different.

Maciej Nowak [00:16:45]:

This is also a very known brand and they are on a VPS server. So, again, a lot of you can do if you get access. The website gets very, you know, there is a lot of pop ups. With those visas, for example, buy US visa for, I don’t know, $150. Right? It’s a scam for sure. And it’s a big website, rather old, a lot of custom code, and what hacker gained is, they added SSH key, keys to the server. So so they they had open connections to to the to the bare metal machine. Right? They could do everything with the website.

Maciej Nowak [00:17:27]:

They had a Chrome job that was adding code. If the code was removed, it was added through a regular Chrome job and they had also admin, users. So there were, like, many open vectors of attack for that particular website. If the website is clean, then there is SSH connection. If if this doesn’t happen, then there is Chrome job, fixing that. So on and on. And we clean the code. We have reset the passwords for all of the users.

Maciej Nowak [00:17:54]:

We have removed people from old people, all accounts from the organization. We even switched the platform because we were thinking maybe the you know, it was like a sloppy server hosting, company. We switched to, dedicated WordPress, platform and there was a comeback. Right? So what happened? We did, everything and and there’s a comeback. Right? What happened? There was a custom code written for us, like special, functionality that was taking user input, which was unsanitized, and it was clear SQL injection. And the end of the day, that was, allowing the hacker to get fourth way, in a fourth way to back to the server. What are the sources of those attacks now? Pubstack reported, published a big report on February, ’23, and they are saying that 97% of all, vulnerabilities are coming from plugins. Now there is also Thomas Rief who also published a 2023 report saying, that stolen session cookies were root cause for 60% of attacks or incidents.

Maciej Nowak [00:19:11]:

Now what does it tell you exactly? Should you patch the plug ins? Should you do the updates? You know why? Because there is still 60% of the attacks that will happen through stolen sessions. Is it the same thing? It’s not. So is 40% of non stolen session incidents out of which 97% were attacks through plugins? Not necessarily. What Patchstack reports are the holes. So holes happen in the plugins. But does this mean attacks, all of the attacks are coming through those holes? No. I was in shock when I was reading this and That report on stolen session cookies was, I think it’s like from two months ago. So what happens is that both are true.

Maciej Nowak [00:20:07]:

Patchtag reports, it’s like the guy sitting on the goal in in that safe and it doesn’t see the safest taken with out of the building with him inside. Right? Patchtag analyzes, the source code and reports on the source code. What Patchtag doesn’t have access to is the numbers of incidents because, if you have access to the server, you can manipulate the data and and and words or or Patchtag doesn’t see this. What, Thomas Riff is reporting is based on the out outcomes, on the incidents, on the, on the hacks because he has a company called We Watch Your Website and they are running code on the server level monitoring the website. So they see, logs and they are reporting based on that. And what happens is they are seeing a logs, they are seeing a lot of logs with the data, with a login details. So those login details are coming from those machines. So what you can do is protect your sessions.

Maciej Nowak [00:21:16]:

If you are an admin, what you can do is to log out from, from admin session as as often as possible. If there is no session, there is no hijacking. Now, if you are, if your sessions are leaked, it means maybe you have a info stealer or a modeler on your computer. So the first thing you should be protecting is your own premise. Your laptop not using, open, networks, basic stuff, the stuff that we are telling our grandmothers, grandfathers, mothers, fathers, and so on, that you should be protecting your own PCs. So this is very important because this is not on our radar as developers that, okay, we have to protect the websites, we have to, you know, sanitize SQLs and everything, but then you have your own PCs and if someone get gets access to your computer as a developer, there is a high chance. There is a number of websites, not only one website, but there are tons of websites you we’ve been building for our clients, for example. And we have all of those, websites logged in, as admins because we were developing those websites.

Maciej Nowak [00:22:24]:

Right? So this is very overlooked, thing that we have to protect our own first, like in an airplane, you have to protect our own you you put on mask first and then on your child because someone has to take care of the child later on. How to prevent that and what to do? Because I have covered your own computer, but can we just, you know, not do anything about our websites? Like plugins don’t update it? No. We we can’t because this is so easy to get it infected. So you have to be protected. And that there was a case like PatchTag, reported that vulnerability tent, our website was in fact three days later. So if you don’t update your plugins, you are it’s guaranteed that you will get hacked, but it’s not enough. That’s why you have to protect your own environment too. Now, what to do to protect that website part? You have to update websites as often as possible and maybe even, turn on auto updates if they are not breaking your website because there is between zero day vulnerability and, end patch there is a couple of days and then when the release goes out, you you have to be, like, already updated.

Maciej Nowak [00:23:49]:

You have to do backups as well because at some point the infection was, was done, but you have to have to revert somewhere. And you have to, do the updates on an external machine. Now if you go to Google and, Google UniSuper, you will see that 125,000,000,000 US dollars company got wiped out by accident on Google end. And this is from two weeks ago. Dollars 125,000,000,000 company got accidentally deleted from Google Cloud because of an error. Unheard of. And what the reason, it’s an Australian pension fund. So grandmothers and grandparents, you know, didn’t have access for a week to to their, to their platform to their banking platform, in fact.

Maciej Nowak [00:24:38]:

They were, they had backup on an external, from an external provider. It took seven days to restore from an external provider even though they were based on two separate locations. I have to run. You have to, you have to protect your also your accounts. Now, you can’t use shared accounts because if someone gets infected you don’t know who that was and this is very common. What else is very important, protecting Crest API. This is a real use case. Go to, the, JSON API and test a couple of your clients’ websites because there are usernames.

Maciej Nowak [00:25:19]:

Most of the time, they are use usernames leaking. And if you, if there is an admin ahead, that’s that’s probably really an admin. And also the login screen, if it confirms the username, it’s not a bad practice. There is zero reason someone should know that there is an admin account and that this admin account is a correct admin name. How to treat your passwords? Like Snowden on that, famous movie, typing the password. No one could see the password. Now you can discuss if it’s really, impossible to see the password because there are some techniques I heard that it’s possible to to read that password. And OWASP.

Maciej Nowak [00:25:59]:

OWASP is a good starting point for you to have a, like, a helicopter view to to know, what’s going on. There is a 02/2017 and 02/2021 version. There is an update coming in 02/2024, so, it will get updated, but I wanted to tell you what is OWASP. And OWASP is the 10 most common areas that are, problematic and from where they are the the the problems in security are coming. Let’s take insecure design. And if you go to OWASP page and go, for example, to insecure design, there are an examples that will, explain, how you can think about that bad bad design on secure design. And for example, you can, have, a design in which you restore password by questions and answers. And this is this is forbidden practice from OS perspective.

Maciej Nowak [00:26:57]:

And guess what? Do you know any most famous, questions and answers, password recovery website? Google’s. So if you are on the iCloud, there is that, answers, you can give to restore your password, which is forbidden by OWASP. There is, there there are also other examples I have to run now. Sorry. And and even OWASP is not, can get hacked and it was published on April 1. And this is no joke. They got hacked on their old white Wiki page, which also stored, OWASP contributors, personal data. It’s, you know, GDPR breach.

Maciej Nowak [00:27:45]:

We are in Europe and this is a problem because they got hacked and they had to, you know and they are security people. So everyone at some point will get hacked. To recap, your website is always a target. If you are asking why should one why should anyone, hack my website? You should be asking why anyone shouldn’t be hacking your website. You are certainly on the target as a your target because you have compute power to to to to be taken, advantage of. And this is all automated. So there is no human going, most of the time, after you. You have to be doing updates as often as possible, and, there are certain measures I cover that, you should be protecting yourself and your own machine.

Maciej Nowak [00:28:38]:

And if you want to start somewhere, start at OWASP, to get some kind of, you know, footing about, what is what is security in your own environment, let’s say. Thank you very much. There is a survey. You can scan scan the code. There are three questions. Please roast me. I would like to hear your feedback. Yeah.

The Motivation Behind Hacking

Understanding the reasons behind website attacks is a crucial first step in building awareness. Maciej outlined several key motivations:

• Financial gain through credit card skimming (e.g., Magecart), ad fraud, crypto-jacking, phishing, fake product listings, and SEO spam.

• Malware distribution, utilizing compromised websites to spread infected code.

• Hacktivism and cyber warfare, as seen during geopolitical conflicts.

• Reputation building or personal challenge, where hackers attack just to prove they can.

• Personal vendettas, reminding us to maintain good relationships with colleagues.

Real-World Infection Case Studies

Maciej shared vivid examples of website infections his agency handled:

 

1. Government Organization with 15 Websites

Hosted on a single AWS LightSail server without isolation, all sites were compromised. The lack of regular updates, involvement of multiple agencies, and unclear attack vector made it difficult to identify the original source. Even after cleaning and restoring from backup, infections recurred, pushing the team to implement domain separation for further investigation.

 

2. E-commerce Platform with Outdated Plugins

A plugin vulnerability, patched and disclosed by Patchstack and Wordfence, led to an infection three days after the advisory. The hacker added a fake admin user named “Wordfence,” highlighting the dangers of delayed updates. This prompted the client to adopt a more regular update schedule.

 

3. VPS-Based Website with Multiple Attack Vectors

This case involved SSH key insertion, malicious cron jobs, and admin account manipulation. Even after switching platforms and thoroughly cleaning the system, the infection returned due to a custom-built, vulnerable code allowing SQL injection.

 

Sources of Vulnerabilities

The origin of attacks was analyzed through reports by Patchstack and Thomas Rief:

• Patchstack (Feb 2023): 97% of reported vulnerabilities stem from plugins.

• Thomas Rief (2023): 60% of real-world attacks originated from stolen session cookies.

This shows that while code vulnerabilities are widespread, securing developer and admin environments is equally critical.

Protecting Your Digital Environment

Security isn’t just about the server—it’s also about the user:

• Log out of admin sessions regularly to prevent hijacking.

• Avoid using open Wi-Fi networks and keep local machines malware-free.

• Don’t store passwords or admin sessions across multiple client sites.

• Use separate, unique accounts instead of shared credentials.

• Treat passwords and admin access with utmost care.

Best Practices for WordPress Security

Maciej summarized practical steps every WordPress user should take:

• Update regularly: Preferably enable auto-updates when safe.

• Back up frequently: Especially offsite, to recover from major failures.

• Avoid shared admin accounts: For clear accountability.

• Check REST API leaks: Avoid exposing usernames publicly.

• Secure login pages: Don’t reveal if a username is correct.

• Use OWASP as a guide: A solid starting point for understanding common security flaws.

He also referenced OWASP’s top 10, particularly criticizing recovery methods via Q&A, still used by platforms like iCloud despite being discouraged.

 

Final Thoughts

Maciej concluded with a strong reminder: if you think your website isn’t a target, think again. Most attacks are automated, looking to exploit any opening—compute power, traffic, or reputation. Start by securing your environment and learning from frameworks like OWASP.

“Everyone gets hacked eventually,” he warned, even security organizations like OWASP itself. The best defense is to stay prepared and proactive.