Your website is a valuable prize for cybercriminals. The abuse of sites by bad actors affects both their owners and the greater security ecosystem.
This article a timely reminder that although not all website platforms are created equal, Drupal sites are not invulnerable.
There have been a range of software updates to fix very important security issues discovered in the Drupal CMS in the last 12 months. This is quite unusual historically, but nevertheless - these security issues were significant.
Over time it's common for security issues affecting the software used to build websites to be identified and for the problems to be addressed via software updates. These updates may fix vulnerable Drupal Core or Drupal Contributed Modules. Your website was built using a combination of both - Drupal Core or Drupal Contributed Modules.
It's a common sense step to secure your website wherever possible. This involves regularly checking to see if there are any relevant updates available for your website, implementing the updated version and performing basic testing to ensure function is as expected. This requires development skills - therefore time and expense to properly implement.
Currently this service is optional, but highly recommended by our technical team. We call the service Security and Stability Updates.
You might be thinking, yes it sounds good - but do I really need this?
In our view it's a very sensible option, because of 2 important factors:
1) The likelihood of a website compromise caused by outdated software modules on your website.
While Drupal sites are probably less likely to be compromised, it can certainly occur. The likelihood increases over time if your site remains out of date. In general terms this risk may also be increasing over time, as such malicious activity becomes more commonplace.
2) The serious nature of what may occur in the event of a compromise.
Cybercriminals are able to make use of resources like processing power, bandwidth, and the hosting available via compromised websites to enable all kinds of malicious activities. It's important to note that compromised sites can be exploited in a variety of different ways.
This is the focus of this news article, and is detailed below.
Redirection via your compromised site
There are a variety of ways this can be implemented, but generally the idea is to send a site visitor to another website, so that they can gain revenue (Ads or Purchases), or as a method of infecting the visitors machine with Malware hosted on the site the visitor is redirected to.
Malware
The term "malware" covers a range of malicious software designed to cause harm. Infected sites may directly install malware on a user’s machine to steal private information or take control of the user’s machine and attack other computers. Sometimes users download this malware because they think they are installing safe software and aren’t aware of malicious behaviour. Other times, malware is downloaded without their knowledge. Common types of malware include ransomware, spyware, viruses, worms, and Trojan horse.
Exploiting the function of a site module
This may involved directly exploiting a website CMS module, or using it as a stepping stone to install software toolkits on your website for specific functionality the attackers desire to use. This would include (but is not limited to) your site hosting pages for phishing, spam, or pornography.
Other malicious activities
This could include vandalism, or destroying the data of your website. It may also include encrypting the data of your website, so that it becomes non-functional (so called ransomware).
Symptoms of a compromised website
In rare cases of site vandalism, or ransomware – the malicious actors make it plainly obvious to the site owner (and the rest of the world) that the site has been compromised.
In most cases though, the approach is stealthy so that site owners are unaware the problem even exists. A compromised site may not be detected for a long period of time.
Although we go above and beyond with enterprise class software on our server that is designed to detect compromised sites, these systems are not perfect and it is not uncommon for compromised sites to remain undetected.
There are a few implications if your site is compromised.
- Unless we were able to detect promptly - we may not be able to recover from backup, as our systems have a finite capacity of historical restore points.
- The good reputation (ranking) of your website domain may be permanently damaged by such malicious activity.
- Reputational damage - particularly if your website is marked by a search engine or browser as compromised.
- We may be able to clean the website, but this is not guaranteed. If we are unable to, we may need to delete the website altogether. It's also possible the site may appear to be clean but is not.
- Assuming cleaned, the site will need to updated to the latest versions of Drupal Core and Contributed modules. If the site has not been updated for some time this may be quite time consuming.
- Expense - the cost of attempts at mitigation and associated activities (successful or otherwise) may vary substantially and are significant.
- At a minimum the website will be taken offline if we deem that your site is compromised. The site will remain offline until resolved to our satisfaction. Depending on the type and severity of the activity, it may be necessary to delete the site.
Don't just take our word for this... you can read more about this in Google's Offical Report.
If you suspect a website compromise please communicate this to us immediately, via our Support page so that we can investigate.