Zappos.com, Sony PlayStation Network and Citibank—they’re strange bedfellows. But if you hadn’t guessed, what these three have in common is the scarlet “H” they’ve been slapped with in recent headlines: Hacked.

One consequence of a website hack is that it can infect thousands of visitors who trusted the website enough to visit it. The personal information of thousands can be compromised—not to mention damage to the site’s reputation—and you can bet consumers will think twice before coming back, especially if credit card numbers were stolen. It’s a growing problem that hurts thousands of organizations and individuals each year, from blog owners and web admins to small businesses and large enterprises.

These three companies are far from alone: Any website without the right protection is vulnerable to the relatively recent trend of infection with web-malware. More than 6,600 new websites get added to the Google malware blacklist every day because of hacking attacks that use legitimate websites to distribute malware, and blacklisting is just one manifestation of such attacks. The web is growing fast, with nearly 250 million sites expected to be online by 2015, and many of these sites are likely to be unwitting participants in a massive malware distribution and cyber-crime ecosystem.

Most disturbing of all is the fact that the vast majority of websites today are completely undefended against attacks from malicious hackers.

So how do websites get hacked?

Web-malware not only can infect the computers of those visiting the compromised site, but it can also do additional damage by redirecting users to fake anti-virus purchase programs, stealing financial and personal information, and more. Such attacks are well-documented and have been proliferating on the Internet for some time now. LizaMoon is just one example of a family of infections that have been spread by millions of compromised websites. Hackers compromise the websites without their owners’ knowledge by exploiting vulnerabilities like SQL injection and weak third-party plugins. Here are a few other examples:

• Top 10 web malware attacks
• Zeus banking trojan
• Password-stealing malware

The impact of getting hacked: What to expect.

So it’s happened. Businesses and individuals across all sectors—manufacturing, software, pharmaceuticals, retail, financial and more—are affected when a site gets hacked and injected with web-malware. To protect web surfers, security companies, search engines and browsers will prevent users from visiting these compromised sites. Websites may also land up on blacklists to prevent spam and phishing campaigns, which are often launched from hacked sites. On average, it takes 7 to 10 days for a website to be repaired and come off a malware blacklist, such as the popular Google Safe Browsing list.

During this harrowing period, traffic to the infected website drops, as most modern browsers will block attempts to access the compromised website. Potential new customers will be turned away and regulars won’t be visiting either. Besides, who wants to go back to an online retail shop that infected your computer with a Trojan that led to your bank account being frozen? Ever tried paying the mortgage when you don’t have access to your funds?

Some companies try to protect their website using existing technologies like anti-virus protection, firewalls and solutions aimed at distributed denial-of-service (DDoS) attacks. Unfortunately, these security products—while useful in other contexts—do not address the identification and removal of web-malware from the pages of a website.

Assessing your vulnerabilities is the first step towards protecting your website.

The common reasons for a website getting compromised include:

(1) Stolen FTP credentials: Many website compromises occur because FTP credential are stolen and used by malicious hackers and bots to infect websites with web-malware. This process of stealing credentials for an FTP connection is usually accomplished by means of a Trojan installed on a PC that is used to connect to the website to change and upload content. Once a username and password are obtained, these are passed on automatically to a bot which infects the web pages with malware.  An example is the well-known malware dubbed PWS-FerTP (McAfee Labs, 2008).

(2) Weak passwords (brute-force attacks): A large-scale analysis study in 2011 found that the most common password used by computer users is 123456. It is weak and easy to guess. Unfortunately, a lot of website owners use simple passwords. Malicious hackers can use lists of common passwords to guess credentials that provide them with access to a hosting account.

(3) Server-level vulnerabilities: A massive number of web servers deploy vulnerable software and tools. A typical server that hosts a website runs FTP servers and other programs that provide various kinds of functionality. The software is often outdated or unpatched, and that leaves open doors for malicious hackers. Also, even though website and server administrators are aware of vulnerabilities in server software, they often forget to take action. These issues are related primarily to server setup and configuration. Improper permission settings can also allow malicious hackers to get access to files. Researchers have estimate that more than 75% of web servers have at least one critical vulnerability (StopTheHacker, 2009).

(4) Web application vulnerabilities: Websites today are much more vibrant and interactive than before, allowing users to comment on blog posts, fill out forms and provide other kinds of input to receive customized results. Much of this functionality is achieved through Web 2.0 applications which—unless the code is up to date and specifically designed to protect against web-malware—can be used by a malicious hacker to infect the site, and all of its subsequent visitors.

(5) Third-party add-ons: The presence of these add-ons is a growing trend that provides websites with more interesting functionality, such as dynamic IP geo-location, image resizing and so on. Again, the code in these products may harbor vulnerabilities unknown to the original website owner.

Essential tips to protect your website:

• Never store credentials on your local PC using software such as Filezilla SmartFTP, CuteFTP and other FTP clients.
• Constantly check your website for any web application vulnerabilities and malware code to prevent infection of your visitors.
• Switch from FTP to a more secure solution like SSH/SCP/SFTP. Using these protocols in lieu of FTP allows your usernames, passwords and data to be transferred in an encrypted manner to your website, making it much harder to eavesdrop.
• Make a list of all third-party plugins and update them regularly; only install reputable ones.
• Use strong passwords—such as 256G&Jki@f# instead of 123456—and make sure you scan your local PC regularly with more than one antivirus engine. Free AV engines like Avira, AVAST, ClamAV are very good options. Most AV companies have a trial period and free versions of their products.

Don’t underestimate the lasting impact a web-malware attack can have on your business and its reputation. Infected websites often experience a week or more of down time, and the fallout can be disastrous: lost customers and revenues, potential new customers turned away and your hard-earned SEO ranking sabotaged. Fortunately, there are best practices you can follow to protect yourself. Use this article as a guide to assess your vulnerabilities, and then follow the specific steps I’ve suggested to address potential problems. Finally, consider an automated malware detection, cleanup and monitoring service to provide ongoing protection.

For more information, please visit StopTheHacker’s blog for my series of posts on website malware and hacking.

[Editor’s note: This is a guest post submitted by Anirban Banerjee from StopTheHacker blog.]