Site Hijacking | BHS

Website hijacking occurs when an attacker steals
content from your site and misuses it. Since the
content you publish is publicly available, attackers can very easily take this content and republish it
elsewhere, masquerading as your site and perhaps
moving traffic from your site to theirs. Hijacking your domain name makes their fake site more believable
(e.g., if your website is www.myfamilypage.com, they can try using www.myfanilypage.com). If they alter the content on their site to make it offensive or
incorrect, they can damage the reputation of your site. Attackers can also steal the design of your website, which is frustrating if you have spent time and/or money on your site's design.

Another form of website hijacking occurs when
spammers send automated programs (called
spambots) to search the content of your site for
contact information such as email addresses, mailing addresses, and telephone numbers. They can then use this information to send spam to your site’s visitors or steal your identity. These visitors may notice the connection between visiting your site and receiving spam and avoid your site in the future.

If you use an online service for sharing digital pictures with your family and friends, you should configure the site so that strangers cannot view your personal pictures and steal them. It is very easy to steal pictures online by just copying and pasting the image file or copying the source code.

A less probable, but possible, method of hijacking
occurs when somebody on your network knows your
MAC address and can trap your requests to the
Internet. Each computer's network card has a unique
MAC address, and every IP address eventually resolves to a unique MAC address. This ensures that information sent over the Internet reaches the right computer. If an attacker knows your MAC address, he can send malicious data directly to your computer, where there may be no security checks or virus checks. In this way, the attacker positions himself between you and the server you are trying to contact, similar to a man-in-the-middle attack. All of your information therefore first goes to the attacker, who in turn either forwards it to the intended server or sends a page to you that appears to be from the
server and tricks you into entering confidential
information.

On websites that gather information from users,
somebody could introduce data that alters the
behavior of the website if the site is not adequately
protected. This type of attack is called cross-site
scripting, and it generally occurs when a dynamic
Web page gathers data from an attacker and displays the input on the page without properly validating the data. If you only have static pages on your website, you do not need to worry about this attack. This is only a threat if you have dynamic HTML (pages that use scripts like JavaScript, VBScript, etc.) on your site. A successful attack of this sort can result in loss of data, identification theft, cookie stealing, etc.

The most popular type of this attack occurs when
hyperlinks are changed on pages that embed scripts
like JavaScript and VBScript. For example, an attacker
could change links on a page so that when a user logs on and clicks on a link, they are shown a page that looks similar to the expected page, but was created by the attacker. The attacker can then either hijack the user's session or lure the user into entering personal information on this page.

Protective Measures
Practices

• Protect sensitive content with passwords: Consider protecting files with valuable or sensitive content with passwords so that only pre-authorized users (e.g., friends and family) can access them.
• Don't publish sensitive business information: Never publish sensitive or confidential information about your company. Always check with your company’s system administrator or other
  responsible individual if you are not sure whether
  information is sensitive.
• Use SSL and HTTPS to secure the communication on your website: Hijackers can monitor traffic leaving your Web server and steal
  content that way, even if it is password-protected.
  To protect against this, you can encrypt traffic from your site by using Secure Socket Layer (SSL)
  certificates to communicate over HTTPS, which is a
  secure way of displaying web pages.
• Protect your email address: Programs called spambots troll the internet looking for email
  addresses on Web pages, newsgroups and chat-
  room conversations. They look for anything that
  could lead to your name or email address. Chat
  rooms are particularly vulnerable in this respect,
  since many people use the first part of their e-mail address as an identifier or screen name when
  chatting. Frequent users of chat rooms often receive
  large amounts of unsolicited email as a result of this. If you must display your email address on a Web
  page, you can make it unreadable by a computer,
  but recognizable to a human being. One way to do
  this is to replace the “@” symbol with either text
  that suggests this symbol (e.g., joe.smith[at]
  hotmail.com instead of joe.smith@hotmail.com) or with a graphics file (e.g., a .gif file) that represents
  that symbol. You can also display your entire email
  address using a graphics file. Of course, none of
  these tricks will stop a human being from getting
  your email address.
• Advise users to make sure they enter the
  correct address for your website: Advise your users to be careful when entering the address of
  your website, and point out common mistakes that
  the user might make in entering the site address.
  Occasionally check for common spelling errors that
  users might make, and warn users against these
  errors. You may also want to try purchasing all domain names that are similar to your own so that
  all misspellings go to your website.
• Periodically check for cross-site scripting
  loopholes: Check your site occasionally to see if all links on your site lead to the correct Web pages. You should also check the source code on a regular basis for any modifications to the hyperlinks. This can be done by keeping a master file of all the hyperlinks that were used in the source code. You can then use customized programs to automatically search for all hyperlinks used in the source code and match them with the master file. If the program finds a hyperlink that does not match the master file, the link may have been maliciously modified.
• Use proper session management: A session is used to store the status information of an
  authenticated user throughout a website so that he
  doesn't have to log in every time he visits a different
  page. Your site should check for a valid session on
  every page that contains confidential information.
  Otherwise, a user could gain access to highly sensitive pages by bypassing the security checks at
  the login page. The best way to keep this from
  happening is to create a session with a
  corresponding privilege level for each user who logs
  in. Then check the session on every sensitive Web
  page to make sure that the user has the proper privilege level for that page.
• Keep a database of user login information: Maintain a database to keep track of all login
  information and user activity. This is useful because
  it allows you to review user activity and possibly
  detect and track malicious activity. Logs are
  automatically created in Apache Web servers by
  default. These logs can be accessed by viewing the Logs folder in the WebApps directory of the Apache
  Installation.
• Perform proper string parsing on user input: If you don't do this, somebody could breach your
  security by exploiting SQL vulnerabilities. For
  example, special symbols such as single quotes or
  semicolons can be used to fool SQL. Single quotes are used for comparing strings in a database, and
  semicolons are used to terminate SQL queries, so if the user enters these symbols, the backend queries
  can get modified. Strings should therefore be parsed
  to remove special symbols before they are fed to the
  database.
• Prevent users of your site from entering HTML tags in form fields: If you have forms on your site, do not allow users to put HTML tags into your form fields. If HTML tags are allowed, anybody can modify your website, since the HTML tags can be interpreted by Web browsers as part of the page. You can prevent this by making sure that the user input does not contain special characters.
• If you publish a blog, you must remember that without site authentication, you have no
  control over who sees the information you
  post: If you post information that is private or embarrassing, you could put your reputation at risk.
  Do not post personal information on your blog or
  website: Be careful not to use phone numbers,
  names of real people, or addresses when writing
  about events. People could misuse this information,
  and the more you reveal, the more vulnerable you are. If possible, make your profile or blog private:
  Many blogging sites let you set your blog so that only
  certain people, whom you specify, have access to
  your profile or blog.
• Check the protection offered by your Web
  hosting service: If you use a Web hosting service, contact your service provider to find out what kind of protection they offer against website hijacking.

Tools

• SSL certificates: Secure Sockets Layer (SSL) encryption keeps data from being intercepted when someone logs into a restricted part of your website or sends personal information through a form. When entering credit card information in an online form or visiting a secure area of a website you may have noticed a yellow or gold lock symbol on the bottom row of your browser window. This is a sign that SSL encryption is active and any data you send to the Web page should be secure.
  
  SSL encryption has become the industry standard in security, so if you want to build an e-commerce site you should have an SSL certificate. This will reassure customers that their personal information is safe.
• HTML Protector: It is possible to download an image from a website by right-clicking on it, choosing the "Save Picture As" option on the
  resulting menu, and copying the picture to a directory on the local machine. The HTML Protector tool prevents this from happening by disabling the
  use of the right-click on your website. This is an
  effective way to make sure people don't steal and
  use pictures from your website.
  
• Vulnerability Scanner: Vulnerability scanners, such as the Acunetix Web Vulnerability Scanner , help detect locations in your site where avulnerability can be exploited. The scanner runsthrough the entire source code of your page, located places where attacks are possible, and helps to correct the code to prevent an attack.

Legal Issues

Copyright law prevents people from appropriating other people's websites for commercial use, so illegal modification of a website by an attacker can be prosecuted under copyright law. You can be prosecuted for publishing any content, such as software, music or movies, that is copyrighted or doesn't belong to you. Deliberately publishing false information can be considered defamation. Individuals who have spread rumors or disclosed confidential information about companies have been prosecuted for it.

Privacy Issues

Since posting your email address online can lead to receiving unsolicited email, you may want to have several email addresses. You can give your personal email address to family and friends and use other "throwaway" email addresses to post things online. This way, if one email account begins to receive a lot of unsolicited email, you can stop using it without missing important messages.
Share on Google Plus

About Blackiish

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.