Most Internet users know by now that hackers can target any account. But the conventional wisdom is that hackers are only looking for "interesting" targets: phone companies, government agencies, large corporations with sensitive files, credit-reporting firms, or organizations with extensive credit-card files. That simply is not true. Many hackers look for small, relatively unknown companies with little of interest in their computer files.
Why? One reason is that small companies offer a perfect place for a new hacker to test his or her skills. Because defenses and security awareness are likely to be low at such sites, hackers have a far better chance of breaking in and rummaging around, and there isn't much chance of interference or risk of being caught. If your site is unintentionally accommodating to low-skilled hackers, you might win the honor of being labeled a "penetration test site" on hacker bulletin boards. Then you'll enjoy frequent visits from hackers all over the world.
For the same reasons, hackers also use smaller, less sophisticated systems as launching pads into larger, more security-conscious target sites. They mask their identities by first hacking into several smaller systems to create an electronic trail that's difficult to trace. Once they have what they want from the target site, they may then bring down all the sites in their trail to eliminate any traces of their presence.
"Word gets around fast," explains one hacker. That particular hacker has a day job--in the technical services department of one of the major online services.