Consortium partners and interested parties met in person for a status meeting as part of the INSPECTION research project. This time, the meeting took place at the offices of BDO AG Wirtschaftsprüfungsgesellschaft in the Hanseatic city of Hamburg, and other participants were connected online. The company mindUp presented methods for finding hacked websites. One focus of Joachim Feist was the phenomenon that operators of Japanese fake shops hack German-language domains to get visitors for their fraudulent sites. This type of hacking was found, among others, in a case of the Fotomuseum in Winterthur that became known in the media. During the status meeting, Mr. Claus and Mr. Künzi from the National Centre for Cyber Security (NCSC) in Switzerland had the opportunity to present the case and their approaches to finding and dealing with hacked websites. Among other things, the NCSC operates a reporting form with which citizens and companies can report suspicious cases and check whether they have been affected by a cyber security incident by asking simple questions. If such an incident has occurred, tips for further action are displayed to those affected, the case is reported and processed further by the NCSC.
IONOS has also implemented a similar procedure, as Winfried Kania reported. Customers can upload e-mails via a portal that were supposedly sent by IONOS. The system then checks whether the email is a phishing message. If this is the case, a process is automatically initiated in which the message is analysed and, if necessary, measures are initiated to warn customers or block fake login pages.
In the area of "handling", Stephan Halder from BDO AG presented the latest findings from the analysis of content management systems of those affected. Among other things, interesting patterns could be found here in how attackers scan websites for vulnerabilities. This impressively showed how systematically attackers proceed. Once the attackers are in the system, which happens for example through known vulnerabilities, but also through manipulated and freely available plug-ins or themes in which backdoors have been directly implemented via so-called webshells, access authorisations are often changed and new administrator accounts are created. This not only allows the attackers administrative access to the hacked system, but also makes the removal of the malware more difficult, as malicious code is adapted against detection and automatically reloaded from the internet. This once again impressively demonstrated how deeply attackers can penetrate the system of those affected. Therefore, in very few cases is it enough to simply import a backup of the website, it must also be ensured that all malicious files and webshells are removed from the system. Those affected often do not have the means to clean up a compromised system. Here, they should seek support for an analysis of the incident to ensure that all malicious files are removed and a "clean" system goes online.
Anne Hennig from the SECUSO research group presented preliminary results of the notification experiment and gave background information on the development and evaluation of a first awareness video. Within the framework of the experiment, those affected are currently being contacted by five different senders and informed about the hacking of the website in each case with a standardised e-mail cover letter. According to initial evaluations, which must be considered preliminary due to the small number of cases, it appears that all senders achieved a recovery rate of 30 to 40%, with the Federal Office for Information Security (BSI) recording the highest recovery rate of almost 46%. With regard to different incentives given to those affected to make the urgency of the attack clear, there were hardly any differences as things stand at present. Formulations that, for example, indicate a blocking of the website or damage to reputation seem to achieve slightly better recovery rates. However, due to the small number of cases, it is not yet possible to make a definite statement.
In the area of "prevention", awareness materials are being developed on the basis of the knowledge gained in the project. For example, a first awareness video was completed in December 2022 to draw attention to the problem. The video was evaluated in February and March 2023 with experts from the project context and will be published at the end of the project after the adaptations have been incorporated. A second video is being planned, as well as a set of slides for a presentation. The aim of the coming project months is to complete and evaluate the second video and to use the lecture to draw attention to website hacking on various occasions and to present measures for remedying the hacking and protective measures against future hacking. All stakeholders are invited to suggest suitable formats and events.
