How hackers can do that?

Sometimes it’s hard to understand how hackers do their black magic. It’s hard for everybody, including security specialists.

Even hackers get hacked. Remember that ;)

However, there are pieces of information you can collect to make sense of the most used attacks.

Permalink to heading Expired domains Expired domains

What the… yes, you can hack using expired domains.

There are many practical reasons to drop a domain. Let’s say you do not want it anymore. What do you do?

You do the same as almost everybody. You let the domain name expire. What if I told you some people monitor domain expirations, and if your domain name meets some specific criteria, it can turn nasty.

But how exactly?

Let’s answer the first part of the question. How do hackers monitor expired domains? Is there any RSS feed ^^?

Don’t laugh too much because registries publish lists of expiring domain names regularly.

If you abandon your domain name, an attacker can re-register the same domain name and start stealing critical data, especially using emails.

It can lead the attacker to confidential information, including bank communications and invoices. Sadly, it is not the worse you can get.

Assuming you had an online shop on that domain, bingo! The bastard can use the Wayback machine to get your old pages and start taking orders and payments. Easy money!

My advice, don’t let your old domain for sell.

Permalink to heading Subdomain takeover Subdomain takeover

A subdomain highjack could consist of taking control of :

In that case, misconfigured DNS records would be the culprits. Typically, the subdomain still has a CNAME in the DNS records but no more virtual host, allowing anybody to provide his virtual host and then host his content for it.

source: MDN

Spammers use that attack, but in the worst-case scenario, hackers can steal sensitive data such as cookies, and after that, the gate is open.

My advice, check and update your DNS configuration. That’s how you can cut the power and give a middle finger to your attacker.

Permalink to heading The use of obfuscation The use of obfuscation

Most hackers use that to hide backdoors. It consists of hiding malicious code. Many techniques allow for twisting the logic (e.g., reverse string, concatenation, encoding, etc.), generating a lot of noise, making the code hard to read.

If it’s harder to read, it’s harder to detect.

Using that trick, they can manipulate predefined variables of the language, for example, PHP, to ultimately execute arbitrary code.

If you have ever seen an infected website, you may have seen those weird lines of code. When you reassemble all the parts, you get stuff like that:

if (isset($_COOKIE["xyz"])) {
    // do bad things

With popular CMS such as WordPress, as the code is public, hackers often obfuscate the use of critical functions such as authentication helpers.

My advice, watch your files. I’ve seen sophisticated examples, including modifying existing core files rather than adding fake ones.

In that perspective, checksum verification can be useful. It uses hashes to make sure core files haven’t been modified since the last update.

Permalink to heading Static code analysis might be a dead-end Static code analysis might be a dead-end

When it’s about security, I’m not too fond of static analysis because it finds many false positives.

It runs and tells you that you have 200 XSS (cross-site scripting) to fix, but you see that it’s not exploitable when you open the source code.

It’s lame because you could spend time doing useless modifications while there are way more dangerous places in your code you should inspect.

My advice, don’t spend too much time on those scanners.

Permalink to heading How DDoS work How DDoS work

You may already know that DDoS is an attack in which the target gets overwhelmed. That’s why it is called “denial of service”.

The only good news with DDoS is that most of the time, they don’t attempt to steal anything or, even worse. Attackers only want you to shut your mouth.

While the second part of the name is “denial of service”, the most critical part is the first part: “distributed”. Instead of facing one attacker, your website gets bombarded with large amounts of fake traffic.

In other words, unlike DoS attacks that involve one source, DDoS attacks come from multiple sources simultaneously, which is much much harder to handle for the server.

Ok, but how can the hacker access those millions of computers to coordinate such a massive attack?

The answer is by distributing his malware on the internet. Whether it’s by interacting with an infected website or by unwisely opening an email attachment, or installing a fake software, the victim installs the malware on his computer.

Permalink to heading Wrap up Wrap up

I hope you understand a little more regarding how hackers make common attacks and how to reduce risks.

I do my best to update all my contents, but keep it mind that "How hackers can do that?" has been published many months ago.