Vision: What the hack is going on? A first look at how website owners became aware that their website was hacked
Pages 312 - 317
Abstract
Websites are an essential part of today’s business activities. Content Management Systems (CMS) are known for the fact that even laypersons can create good-looking websites with simple means and without huge costs. But if websites are not maintained regularly, they are prone to vulnerabilities. Such vulnerabilities can be abused, e.g., for third party redirects. Informing website owner about this type of attack is challenging. To gain more information about how website owners are informed about vulnerabilities on their websites, we invited 156 website owners to participate in an online survey. We asked those who had fixed the third party redirect before we could inform them, how they became aware of the attack. The participants could choose to answer the questionnaire via a link to an online platform, or to send their answers back to us via e-mail. Only 11 people answered our questionnaire, and only four people were already aware of the attack before our invitation e-mail. Based on these four answers, we assumed that we can confirm previous research with respect to the design of a vulnerability notification. Nevertheless, it would be interesting to see if – with a bigger sample – we can also confirm our findings that a) online surveys, even if they can only be accessed by clicking an unknown link, are preferred over responding via e-mail, b) the number of responses can be increased by sending out several reminder, and c) a sender attributed with higher authority increases the response rate. Furthermore, we suggest that future research on vulnerability notifications questions the use of the term trustworthiness, and examines whether recipients distinguish between credibility and trustworthiness of notifications when remediating attacks.
References
[1]
Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. (2013), 177–188.
[2]
Cosmin A. Conţu, Eduard C. Popovici, Octavian Fratu, and Mădălina G. Berceanu. 2016. Security issues in most popular content management systems. COMM 2016 (2016), 277–280.
[3]
Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J Alex Halderman. 2014. The Matter of Heartbleed. IMC ’14 (2014), 475–488.
[4]
B. J. Fogg and Hsiang Tseng. 1999. The elements of computer credibility. CHI ’99 (1999), 80–87.
[5]
Anne Hennig, Heike Dietmann, Franz Lehr, Miriam Mutter, Melanie Volkamer, and Peter Mayer. 2022. “Your Cookie Disclaimer is Not in Line with the Ideas of the GDPR. Why?”. HAISA 2022 658 (2022), 218–227.
[6]
Anne Hennig, Fabian Neusser, Aleksandra Alicja Pawelek, Dominik Herrmann, and Peter Mayer. 2022. Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications. CHI ’22 (2022), 1–8.
[7]
Sucuri Inc.2023. 2022 Website Threat Research Report. https://sucuri.net/wp-content/uploads/2023/04/Sucuri_2022-Website-Threat-Research-Report.pdf
[8]
Ranjita Pai Kasturi, Jonathan Fuller, Yiting Sun, Omar Chabklo, Andres Rodriguez, Jeman Park, and Brendan Saltaformaggio. 2022. Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces. USENIX Security 22 (2022), 161–178.
[9]
Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. USENIX Security 14 (2014), 111–125.
[10]
Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications. USENIX Security 16 (2016).
[11]
Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension. WWW ’16 (2016).
[12]
Max Maass, Marc-Pascal Clement, and Matthias Hollick. 2021. Snail Mail Beats Email Any Day: On Effective Operator Security Notifications in the Internet. ARES 2021 (2021), 1–13.
[13]
Max Maass, Alina Stöver, Henning Pridöhl, Sebastian Bretthauer, Dominik Herrmann, Matthias Hollick, and Indra Spiecker. 2021. Effective notification campaigns on the web: A matter of Trust, Framing, and Support. USENIX Security 21 (2021), 2489–2506.
[14]
Max Maaß, Henning Pridöhl, Dominik Herrmann, and Matthias Hollick. 2021. Best Practices for Notification Studies for Security and Privacy Issues on the Internet. ARES 2021 (2021), 1–10.
[15]
Aakanksha Mirdha, Apurva Jain, and Kunal Shah. 2014. Comparative analysis of open source content management systems. ICCI 2014 (2014), 1–4.
[16]
Marina Pasquali. 2023. E-commerce worldwide - statistics & facts. https://www.statista.com/topics/871/online-shopping/
[17]
Tse-Hua Shih and Xitao Fan. 2008. Comparing Response Rates from Web and Mail Surveys: A Meta-Analysis. Field Methods 20, 3 (2008), 249–271. https://doi.org/10.1177/1525822x08317085
[18]
Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn’t You Hear Me? - Towards More Successful Web Vulnerability Notifications. NDSS ’18 (2018), 1 – 15.
[19]
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. USENIX Security 16 (2016), 1015–1032.
[20]
StopBadware and Commtouch. 2012. Compromised Websites: An Owner’s Perspective. (2012), 1 – 15. https://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
[21]
W3Techs Web Technology. 2023. Usage statistics of content management systems. https://w3techs.com/technologies/overview/content_management
[22]
Marie Vasek and Tyler Moore. 2012. Do Malware Reports Expedite Cleanup? An Experimental Study. CSET ’12 (2012), 1 – 8.
[23]
Eric Zeng, Frank Li, Emily Stark, Adrienne Porter Felt, and Parisa Tabriz. 2019. Fixing HTTPS Misconfigurations at Scale: An Experiment with Security Notifications. WEIS 2019 (2019), 1 – 19.
[24]
F. O. Çetin, C. Hernandez Ganan, M. T. Korczynski, and M. J. G. van Eeten. 2017. Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. (2017), 1–23.
[25]
Orçun Çetin, Lisette Altena, Carlos Gañán, and Michel van Eeten. 2018. Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens. SOUPS 2018 (2018).
[26]
Orçun Çetin, Carlos Gañán, Lisette Altena, Samaneh Tajalizadehkhoob, and Michel van Eeten. 2019. Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Network. EuroS&P 2019 (2019), 326–339.
[27]
Orçun Çetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, and Tyler Moore. 2016. Understanding the role of sender reputation in abuse reporting and cleanup. Journal of Cybersecurity 2, 1 (2016), 83–98.
Index Terms
- Vision: What the hack is going on? A first look at how website owners became aware that their website was hacked
Recommendations
Standing out among the daily spam: How to catch website owners’ attention by means of vulnerability notifications
CHI EA '22: Extended Abstracts of the 2022 CHI Conference on Human Factors in Computing SystemsRunning a business without having a website is nearly impossible nowadays. Most business owners use content managements systems to manage their websites. Yet, those can pose security risks and provide vulnerabilities for manipulations. With ...
The Impact of Website Attractiveness, Consumer-Website Identification, and Website Trustworthiness on Purchase Intention
ICIS '10: Proceedings of the 2010 IEEE/ACIS 9th International Conference on Computer and Information ScienceThis pilot study examined the antecedents of consumers’ intention to purchase from apparel retail websites, including website attractiveness, consumer-website identification, and website trustworthiness. A structural equation model was used to test ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2023
364 pages
ISBN:9798400708145
DOI:10.1145/3617072
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- German Federal Ministry of Education and Research
- Methods for Engineering Secure Systems, of the Helmholtz Association (HGF) and KASTEL Security Research Labs
Conference
EuroUSEC 2023
EuroUSEC 2023: The 2023 European Symposium on Usable Security
October 16 - 17, 2023
Copenhagen, Denmark
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 366Total Downloads
- Downloads (Last 12 months)329
- Downloads (Last 6 weeks)37
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in