I was just mulling this over as I spent a few minutes looking at the monitoring tools I have running on the large number of websites I maintain, both for myself and my clients.
Unscrupulous types have plenty of reasons for trying to infect a website with malicious code, and they have tools that are designed to help them find websites that are ripe for exploit.
Specifically, there are telltale signs that a website might be running a particular platform, or they might just assume it’s a popular platform (*cough* WordPress *cough*) and run with that. Either way, they have lists of known exploits, and they just need to run a program that tries to find those exploits on a given website.
If they find one, jackpot.
It’s been interesting to see how this has evolved over the years. A decade or so ago, the most common exploit I saw was silently infiltrating a WordPress site and injecting code into its pages, either via JavaScript or a 1-pixel iframe, that would load data from an external site or redirect the user’s browser to a scam site that would throw ads at them, infect their computer with a virus, run a keylogger, etc.
More recently, what I see most often — and it’s maybe because as a matter of course I run tools that block those aforementioned actions — is surges of fake e-commerce transactions for the cheapest item in a store. Clearly in those cases the scammers have gotten their hands on a list of stolen credit card numbers, and they’re testing to see if any of them are still active.
God, these people suck.
Anyway… the thing I was thinking about today was kind of a meta-level factor in all of this. It’s not just that the botnets only infect sites that haven’t been kept up to date and therefore are exploitable. It seems like they only even try to infect sites that are very low traffic, with rarely updated content, which correlates reasonably to the idea that the site owners may be neglecting their site and not running important software updates.
But how do they know these sites have low traffic? How do they know their content is rarely updated?
How do they know these sites even exist?
The big tech companies — and I’m thinking especially Google and Meta here — have amassed huge data sets about not just users and their behavior, but the websites users interact with. In short, if Google crawls a site on a regular basis — and if Google knows about a site, it crawls it, unless you specifically tell it not to — then Google has data on how often that site’s content is updated, and how much traffic it gets. (Traffic in relative terms, at least, in the form of click-through from Google search results. But traffic in absolute terms, if the site has Google Analytics running on it. Which a huge percentage of websites do.)
Google shares a lot of the data it collects. But it also doesn’t share a lot of the data it collects, and this is specifically the type of data Google does not make publicly available. Or sometimes even privately available to the site owners.
How do scammers get it?
I don’t have an answer. I don’t even have proof that they’re getting it. I just have my anecdotal observation that the scammers don’t even seem to try hacking into the sites I work on that get a lot of traffic and frequent updates. But they’re constantly prodding and poking at sites and servers that don’t see much other traffic.
Curious.