An analysis of the latest trends in malware and hacked websites at Sucuri & GoDaddy.
An analysis of the latest trends in malware and hacked websites at Sucuri & GoDaddy.
Date aired: July 6th, 2022
In this webinar we cover the latest findings from our 2021 Hacked Website Threat Report. We shed light on some of the most common tactics and techniques we saw within compromised website environments and our remote scanners. Plus, learn about some of the most notable infections, top cleanup signatures, and tips to mitigate risk.
Ben Martin is a security analyst and researcher who joined Sucuri in 2013. Ben’s main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn’t slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat.
What suggestions do you have to better protect WordPress Admin Panels?
spk_0
point of entry for the Attackers and I mean putting putting two F. A. On your admin panel is I mean there’s no substitute for that really.
There’s a few different things you can do. You can limit the number of failed login attempts to prevent brute force attacks. You can restrict access to your admin panel by I.
P. Address which is extremely effective. But just a a simple two F. A. Is highly recommended as I pointed out in the in the webinar.
I would really really love to see WordPress have to F. A installed by default like during the installation process have it recommended that would make a absolutely tremendous impact on security of the web overall.
Unfortunately I I don’t think it’s gonna happen anytime soon.
spk_1
Alright, thanks for your answer, Ben. That was a great one. Next question is from val thank you for asking this one. How many of these websites had an outdated CMS And how many were using any type of security service like plug ins hardware by host etcetera?
…
spk_0
Good question. So for out of date CMS as I had mentioned it’s about 50. 50. As for the security software, we don’t actually track how many clients are using security plug ins.
However, one interesting point that I would bring up about security plug ins is that it’s very common to see that the presence of of security plug ins on websites but they’re not really configured properly.
So for example I’ve had clients say that hey I have to f a installed on my WP admin panel, how did the Attackers get in and I look and they have it installed but they didn’t set it up.
So it’s kind of waiting to be configured. And in fact we see this a lot with users of our firewall so our firewall has some very robust mechanisms to protect admin panels, but it just never gets configured, so people are often under the impression that well I got this installed so now I’m safe from hackers but often there’s not any follow up done to make sure that everything is configured properly.
So website owners out there, you’ll want to make sure that that, all of your your security configurations are in place and and verify things before you assume that you’re you’re in the clear and because you just you won’t, it’s kind of the number one rule of of tech support trust, but verify.
So always make sure that things are are configured correctly.
spk_1
All right, thanks for your insight, Ben. All right. This one is from medina from the chad. Thanks for asking what is the single most important thing you can do to protect your website.
spk_0
That one’s easy enable automatic updates for plug ins and extensions and put two F A on your admin panel, I feel like a broken record saying to F a to F a to F A But I’m I can’t can’t can’t stop repeating those two things, those two very basic protections are are irreplaceable those you can’t beat that
spk_1
totally. That makes a lot of sense. Thanks Ben. Alright next one comes from an anonymous anonymous attendee. They say hey Ben great presentation question.
Credit card Steelers sound really scary, I’m worried about protecting customer information and credit card details on my website. Do you have any suggestions as to how I can protect an e commerce site from this type of malware?
spk_0
Definitely. Yes. commerce security is is kind of one of my favorite sub topics of website security and I deal with a lot of credit card skimmers and and e commerce websites.
at its core I would say it’s exactly the same as as any other. you’ll want to make sure that your website is patched and up to date and make sure that your admin panel is protected.
But in terms of e commerce specifically I would have a few additional recommendations In terms of the payment processing on the website, it’s best if you kind of let someone else deal with that.
So ensure that when the credit card information is being processed on the site it should be done ideally by a third party that’s dedicated to processing that information in a secure way.
So the less that, the less information that is actually on your website or processed by your website itself the better and there are some dedicated payment options and payment platforms that specialize in this exact sort of thing.
Another thing for e commerce websites that we see is that they’re often used as kind of staging grounds to test stolen credit cards and the websites that are most vulnerable to this are ones that allow for unauthenticated checkout.
so what the Attackers will do is they will do like a $1 or a one cent transaction on just test to see if the card is active and then if it is then it’s it’s right to be sold on the on the black market for a profit.
And the way they do this is very automated. So they look for e commerce websites that have guests checkout enabled, so you don’t have to have authenticated account to conduct a transaction.
And also websites that have no capture on their checkout page. So you can improve your e commerce security a lot and and prevent your site from being used to test credit cards by doing those two things.
So make sure that all transactions on your website are done through a verified account and that there’s a capture on your checkout page to prevent bots, it’s kind of a nuisance and I understand that that it’s not kind of the preferred solution because you want the checkout process on your e commerce website to be kind of seamless and easy and accessible, but that’s a two way street.
It also makes it accessible for Attackers to abuse it. so just make sure that the payment information is being conducted in a, in a secure way with a, ssl encrypted connection and ideally by a specialized service which can take care of that for you.
So you don’t have to process that information directly on on your website or store any of that data at all.
spk_1
That’s so relevant right
spk_0
now, because,
spk_1
so much shopping is done online, especially since the pandemic, So great answer. this one is kind of related to what you just said, but I am going to read through the whole question.
It’s from David. Thanks for asking. As far as credit card skimming malware, I think I heard it said it grew the most. How much was that growth year over year.
and then the next part of that question is if you have an ssl I’m assuming that does not mean you’re safe from credit card skimming. If not, is there something you can do for your site to stop this before it happens.
spk_0
That’s a good question. as far as how much did it grow year over year, I can speak to that a little bit.
in terms of the a good symptom of that is the number of websites that we blocked for credit card skimming. So typically when we find a credit card skimming malware, there’s an associated exfiltration domain or I.
P. Address where the Attackers are sending that stolen information to. And so once we we decode the encrypted during the encoded credit card skimming malware, there’s a little domain in there somewhere and that’s where the information is being sent.
So once we find one of those domains will block it. So as I had mentioned earlier, We we blocked over 500 domains over the course of 2021 which is the most that we’ve ever blocked in one year in 2020.
I think that number was roughly around 470 and the year previous to that it was 360 yards, something like that if I recall correctly.
So we see it’s trending upward like this, it’s not like stratospheric or anything like that, but it’s certainly increasing at a noticeable rate. And certainly with more and more shopping being done online and of course lots of of small businesses moving their business transactions and their and their commerce online as well and opening up e commerce options for their their customers.
This is just kind of par for the course that we’re we’re going to be be seeing this increase. And as as far as protecting your site I would say repeat what I said previously about, safe processing of data and whatnot.
but I would, I would say again at risk of sounding like a broker record exactly principles that that you would want to flow another website which is keeping your your your website, all your plug ins and themes up to date and protect your admin panel and and of course a firewall, if you’re able to install it on your website to protect it from from known attacks.
spk_1
Great, thanks for that answer. Next question is from an anonymous attendee they’re asking you said 60% of hacked websites contain some kind of backdoor as a website owner, what is the best way to scan and detect these?
spk_0
Excellent question. I would say number one, if you’re using a CMS platform like WordPress for example, a core file integrity scan is, is very crucial for that and most security plug ins ours included will include a core file scan.
So what is that? Well, so any of your your core WordPress files, if any of them were modified if there are files in there that don’t belong, you should receive a notification about it and it’s very, very common for Attackers to place backdoors within core files.
Not all the time, but it happens a lot. So at, at the baseline, I would recommend having a security plug in installed on on your website which contains core file integrity monitoring.
there’s also part of our services that we offer with curry is file integrity monitoring. So we have a server side scanner service which once per day it will scan through your files and let which ones were modified which ones were added.
And if you look through that list and think to yourself wait a second. I don’t remember modifying that file then that might be a red flag. If you don’t have our our paid services and you’re just kind of trying to figure out with your own site.
if if there’s any back doors, one thing that you can do and this is part of our guide on how to clean a hacked WordPress website is to check for recently modified files.
So if you can establish an ssh connection to your server, there’s a command that you can run using m time Which will tell you say, tell me all the files that were modified in the last 15 days or 30 days or 60 days.
And you’ll see batches of them which will be like oh I I updated my seo plug in or I updated my theme and you’ll see batches of these files. And once you remove those you might look for the outliers and think like wait why was this one file modified.
So if you suspect that your environment is compromised and you have a rough time frame as to when that might have happened, you can look for additional files that were modified around that same time which is a very effective way to to find malicious injections within your environment.
spk_1
Perfect thank you. All right. We have another question from an anonymous attending. They’re asking if having three plug ins. I themes I.
P. Geo block in secure e protects the site well or does it completely sacrifice the WordPress site performance?
spk_0
That’s an interesting question. Because one thing that I I have noticed is that some security precautions that are taken with website environments can affect performance and it can be kind of a nuisance as far as I themes, I’m not personally familiar with that second plug in that you mentioned and and hours.
I’m not aware of any performance decreases that they would cause as far as I know I think that it shouldn’t impact it very much at all in fact. but in terms of security precautions and and measures that you can take that do impact performance.
One major one is similar protection in W. H. M. Environments and this is very common for anonymous fox malware in particular to abuse.
So what Attackers can and often do is once they get a photo hold in the environment they use siblings to move laterally throughout different websites in the environment.
Even if the file permissions and ownership are set correctly, they can they can move adjacent in the environment. And it’s a it can, one single compromise.
Admin account can bring down an entire environment, it can be devastating. And so if you one thing that you can do in a W H M environment is to enable similar protection in the global Apache configuration which will help protect this, prevent this attack from being exploited.
However it also creates a noticeable performance decrease on the server and there are other configurations and whatnot which which caused that issue.
And we see this there’s often kind of a conflict between convenience and security and they often do not get along very well.
So as I was saying for example with the securing your checkout page to prevent Attackers from testing credit cards, having a capture and having to sign into account every time you want to make a purchase is kind of a pain, it’s kind of a nuisance.
And so we see that zero sum game often between convenience and security and the same goes for for two factor authentication on admin panels right?
I think as far back as as 2015 there was a discussion in in WordPress forums talking about like we should get to FAA enabled by default, this would would prevent so many compromises.
However, WordPress, one of their core principles for WordPress is that they wanted to be accessible and easy to use and this is one of the reasons why WordPress has been so incredibly successful and is so incredibly common on the web is because it is very accessible and easy to use.
And so there’s this hesitancy from developers to to implement this security precaution by default because it would affect the user experience.
So I think this is this is nothing that’s going to go away anytime soon. I think probably until the end of time there will be a conflict between security and convenience and ease of use for sure.
but as far as those three plug ins specifically that you mentioned, I don’t think it should as far as I know, I don’t think it would cause any major performance impact at all.
spk_1
Great, that’s great news. Okay, we have one more question here. So if you still have a question and you haven’t put it into the Q and a section, please do so because once this question is answered, we will be wrapping up.
So Alicia is asking thank you so much for the question. Have you noticed an increase in hacked websites so far this year, given the war in Ukraine
spk_0
interesting I that’s not something I can really speak to my myself, I’m not too sure I know that other security companies have have noticed some unusual and interesting changes in terms of traffic from Ukraine and Russia.
but personally, I that’s an interesting question. I wish I could have a better answer for you, but I can’t really speak to that. personally, but I think that other researchers have noticed some unusual spikes from, from Ukraine.
So that’s something to keep an eye on for sure.
spk_1
All right, good insight. Thank you for answering that one. Alright. We have another question that came in from J. P.
spk_0
is
spk_1
blocking bot s or bought the first line of attack? If so, is there a way to block all bots and just let the good guy bots in
spk_0
good question. you wouldn’t want to block all bots because then your website would be invisible to search engines. Right.
so there is certainly a bit of an art to determining what is a good and what is a bad bot. And our firewall does have that capability and there is an option to within our firewall called an aggressive bot filter which will do its best to remove the traffic from, from most of those bots.
at the end of the day, really, the only box that you would want on your website to access your website or search engines. So if you would go ahead and block any bots except for google bond and being in Yandex and yahoo then you’re probably good.
you don’t really want that traffic on your website anyway. I guess the I guess the problem is well, how do you do that? And I would recommend using a firewall or security plug in that where the heavy lifting will have been done for you, where the security researchers and firewall analysts will have already created a rule set for you to block those those bad bots, but also allow search engines.
So you don’t absolutely cripple your your SEO ranking.
spk_1
Perfect. Thanks for the answer. All right. We have a couple more questions that trickled in David is asking thank you for the question David, have you noticed a difference on hacked sites using PHP 7.4 versus PHP eight plus
spk_0
interesting question. not really. I mean the, the Attackers themselves don’t really care so much what version of PHP you’re using older versions of PHP like PHP five.
God forbid if you’re still using that are going to contain, a lot more security issues than more up to date versions of PHP and so you would see and certainly an increase of, of, of compromised websites that are using older versions of PHP that do contain security vulnerabilities in them as for the actual malware itself that is present on the website.
I wouldn’t say it’s at all different based on the PHP version, the Attackers they have the same objective no matter what they either want to redirect visitors to drive by downloads and scam sites or they want to steal credit card numbers.
it’s all the same. They always have it’s the same goal. No matter what, software they’re using, they will just use whatever exploits and vulnerabilities that are that are available to them to compromise the environment and they’ll probably put the same payload on website running PHP eight versus PHP seven.
They don’t care. It’s they have the same goal no matter what.
spk_1
Alright, cool. Thank you. Alright, another question coming in from Kent, thanks for the question Kent.
spk_0
They’re
spk_1
asking, where can we learn more about sis link protection?
spk_0
Oh, sibling protection. there there is something on the C panel official official c panel documentation website. If you just look up Apache global configuration, similar protection in google, it’ll probably be the first result.
if you are a if you have W H M and you administer, a great number of websites using that interface. You just search up Apache in the W H N search bar and the global configuration will be right there scroll to the bottom, it’s like very close to the bottom and you just have to turn it from off to on and that’s all you gotta do.
spk_1
Perfect. Thank you. All right, brian is asking. Thanks for the question brian, what’s the fastest way to recover from a hacked website that’s a good one
spk_0
right the fastest way is just to restore backup and this is why having a automated daily backup services is really important.
Because if there’s a a rainy day then you have that to kind of fall back on and we do offer a daily backup services as part of our services.
But there’s also plenty of free plug ins and stuff that you can install on your site to to do that as well. at for no cost there’s a lot of different options available but if you have a known good copy of your website where it’s clean it’s good there’s no malware it functions it works store that somewhere not on your web server have it like on a even a thumb drive or like an external hard drive have it somewhere that’s that’s if if the environment does become infected then you have this offline good known copy of your website that you can fall back on backups are super important and not just for security issues.
if you install a plug in that’s not compatible with some custom theme that you’re using in your site breaks. Oh no what do you do? In instances like that it’s really important to to have a backup and I would say even more so if if if if there is something that yeah so anytime you’re sight breaks you’ll want to have a backup available in case something goes wrong,
spk_1
Right? Yeah. Just like I saw someone earlier in the chat say backups, backups, backups. Thanks for the answer. So one more question from J. P. He’s asking thank you for the question, do you have a video tutorial on how to block aggressive bots?
spk_0
off the top of my head, I’m not sure. However, if you are a user of our firewall service, if you go into the I believe it’s in the advanced security options, there’s something called an aggressive bot filter that will just have to press the tick box there and it gets enabled.
But I I mean this is an incredibly common issue that basically all website owners face. So I I hunch there’s almost certainly something on stack overflow or other, web similar websites that would would show you how to do that.
And in fact that might be something that we can look into doing ourselves as well. That’s a good suggestion. Thanks.
spk_1
Yeah that’s great. Something that we can definitely look into. Okay, we got one more question that trickled in from an anonymous attendee. Does security protection also apply in the front end
spk_0
If I understand your correct your question correctly, it does protect the front end. In fact, it it only protects the front end. There’s any website is going to be running on a on a hosting server and that hosting server typically would have FTP access or ssh access or SftP access To allow you to connect to the the back end of and actually access the files and the back end of the website infrastructure, essentially.
And, our firewall doesn’t block that. We will only protect the front end. So ports 80 and 443, that’s what are our firewall will will protect against.
So in terms of back end protection, that is something that you would definitely want to consider because that’s an attack vector as well. And the best things that you can do to protect the back end is to use ssh key authentication rather than a password, use a non standard report.
So something other than ports 22 to access the back end by Ssh or SftP and you would also want to some hosts, not all allow you the opportunity or the the possibility to restrict access by I.
P. Address. So if I mean there’s no reason why you should have ssh or SftP open to the world, there’s that’s just kind of an accident waiting to happen.
So if you can restrict who can access those those services by only known good I P addresses. That would be highly recommended configuration for security purposes.
spk_1
All right, great. We have another question that came in. Thank you. Ben for answering that one. Actually we have a couple questions. Alright, anonymous attending is asking related to the question protect the form as well, especially on bots.
Sometimes you go bots are referring real people, but tag as bots based on their U. A.
spk_0
If I understand the question correctly. I think by the forum you might need might mean contact form and we would always recommend having a capture on on a contact form.
So that can be google’s recapture service or I think h capture has been increasingly popular as well. So there’s other ones that that you can use. but getting, spammy submissions through contact forms is incredibly common and was basically guaranteed to happen if you don’t have protection on that.
So you want to make sure that any any forms on your website that accepts user input. Whether that’s a contact form or a checkout page should be protected by some form of capture to prevent abuse
spk_1
definitely reminds me of the forms that you have to
spk_0
check
spk_1
all of the, pictures where you see the bridge is before you.
spk_0
Yes.
spk_1
Yeah, those ones, thanks for the answer. Ben, we have another question, chat from kelly.
spk_0
Thanks for asking
spk_1
is Cloudflare worth trying to use for protection.
spk_0
That’s an interesting question because they are one of our competitors, Cloudflare does have a free option that you can put your website down for free.
It’s mostly a Cloudflare is is more focused towards kind of performance and cashing rather than security.
at its core when we built our firewall, we have always had security in mind. That’s that’s the whole point of our firewall is just for that.
The number one concern that and the focus of our product, Cloudflare I think is more geared towards just performance. And I think with the free tiers for the Cloudflare services is it’s gonna hide your hosting I.
P. Which is good and it’s going to provide some cashing which is also good. As I probably wouldn’t rely on it 100% for security and we also can’t ignore the fact like kind of what I mentioned before where people will often put their website behind, they’ll install a security plug in and be like okay I’m good or they’ll all they’ll install our firewall and think okay well now I’m safe, I can’t be hacked, I’m I’m hacker proof but then they still don’t protect their admin panel and that’s still that’s still vulnerable to brute force attacks.
Right? And so whether you’re you’re using Cloudflare or our firewall or or neither you’ll still want to make sure that the basics are taken care of like making sure your environment is up to date and patched and you have your your your plug ins updated and patched and your admin panel has two F A on it, there’s no real substitute for that.
I think that we’ve always been believers. It’s a curry with defense in depth and so we should not be relying on any one single plug in or service to to protect us, we need to make sure that kind of all all attack vectors are are taken care of and all all possible exploits are are blocked in whatever way possible.
So the goal, there is no such thing as 100% security, it’s not possible, but what you can do is risk reduction and you can reduce the odds that your website is going to be attacked or for example, you can place of protection in your WP content slash uploads directory to prevent PHP files from being executed.
So even if an attacker can upload a backdoor, they can’t use it. So defense and depth is, super important. Do everything you possibly can to stein e the attacker’s ability to to exploit your your website, can Cloudflare help you do that?
Sure. and Cloudflare can work in conjunction with our firewall as well, you can use both of them if you want and I know that with Cloudflare, you can actually block exploit attempts at your admin panel, you can restrict that with I.
P. Addresses if I recall correctly. But yeah I mean whatever you can do to to secure environment do it.
spk_1
Great, thank you for that answer. we have time for maybe one or two questions left. We’re gonna try and wrap up here at 12:05.
spk_0
Can
spk_1
you so jP is asking another question. Thanks for the next question, Jp can you use to plug ins like secure E and Word fence?
spk_0
Yeah, I don’t see why not. a lot of our user base uses uses Word fence. It’s a good plug in. It has a lot of good features in it and it’s it’s it’s great.
It’s free too, which is awesome. Our plug in is also free. As far as I know, I don’t think there’s any any conflicts between them. However, as a general rule, you don’t want to just install every single security plug in under the sun because that’s that’s a recipe to to lock yourself out of your own website.
Similar to I don’t think this is necessarily the case with Word fence and the security scanner plugging together necessarily. But it’s installing lots and lots of security plug ins is kind of the same thing as installing multiple antivirus programs on a Windows box.
They’re trying to do the same thing and they end up fighting each other and conflicting and bogging down the system and I’ve worked with more than a couple of clients that got totally locked out of their WP admin panel because they had they just installed like seven different security plug ins and said like okay I’m hacker proof now it’s like well you also can’t access your own website anymore so that is something to be wary of for sure.
But word fence and the security scanner together. I think they’re okay to use together. Yeah.
spk_1
All right. Thanks for the answer. I think we have one more question. So if you could answer this one quickly then we’ll just wrap up anonymous attendee is asking do you have detection if the I.
P. Address is good or bad or VPN based?
spk_0
I do believe our firewall has the option to block anonymous proxies and determining if an I. P. Address er is good or bad.
that’s a bit of a enigma. who who’s to say there are definitely known bad I. P addresses and known good ones but there’s also a lot of I.
P. Addresses. so probably a more effective and simple solution would be to use some sort of geo blocking on your on your website.
So that is blocking access from certain countries and only allowing I. P. Addresses from certain countries. Certainly not foolproof by any stretch.
But if you are let’s say for example you’re an e commerce website and you’re you’re based in Toronto and you basically only do business with Canadians, americans.
Maybe some, some european countries, but like, you, you wouldn’t even ship your product to, Turkey or Russia or china. So there’s not really much reason to allow traffic from those countries at all.
why that’s not, not super necessary. So, you’ll want to make sure that if you do want to use geo blocking, allow the countries that need access to your website and then block the ones that don’t
spk_1
Perfect. Oh look, you have a little guest, there
spk_0
made a cameo appearance.
spk_1
Nice. Okay, so I don’t see any more questions left. looks like we’re getting a lot of good feedback. Thank you Very Informational presentation from kelly. Peter, thanks so much for your comment.
Great presentation. Thank you very much. so yeah, thank you so much for your time today, Ben and thank you to everyone who attended the webinar and ask questions. Also, thank you to Rihanna brian pillar and the teams that livestream this event on Godaddy and security twitter pages.
I think we had quite a few people join us from twitter so that’s exciting. As a reminder. Today’s recording will be posted to securities post, webinar page as well as Godaddy’s events page.
If you have any feedback for this webinar or suggestions for future webinar topics, we’d love to hear from you. So let us know on twitter this a curry and go daddy handles are posted in the chat.
If you scroll up, they will be there. Thanks again for joining us and we’ll see you next time.
spk_0
Thanks everyone cheers.
See all Questions & Answers
Hello everyone. Thanks for joining our webinar here at security for the 2021 Hacked Website Report. My name is Ben Martin — I am from Victoria BC Canada, and I am an analyst and researcher with security. I’ve been with the company since 2013.
I was a contributor to this report. It was a great project to work on and I’m excited to share our findings with you. We put together this report to detail the different trends in malware and the threat landscape on the web over the course of 2021 and describe where we have seen the trajectory and the direction that malware and web threats are headed.
I hope you find this webinar helpful and informative. At the very end of this presentation, we’re going to be going over some helpful tips and tricks for website owners like yourselves to keep your website safe and sound from hackers.
So, without further ado here is our 2021 hacked website report webinar presentation.
Most importantly, the key takeaways:
…We’ve noticed that by and large the most common reason for website compromises have been vulnerable plugins and extensions. When a vulnerability is found in an especially popular website, plugin, or software, it can wreak havoc and result in a lot of hacked websites. The websites that were at the biggest risk for this type of website compromise are ones that are poorly maintained and out of date and not patched. The ones that had the lowest risk were websites that had automatic plugin updates enabled.
So, if you’re able to, we would strongly recommend enabling auto updates and making sure that your websites are well maintained and patched.
On that note, responsible disclosure is very much a key to a safer web. Responsible disclosure is when there’s a software vulnerability that’s discovered in a piece of software: the developer is contacted in private, and some time is given to them to issue a patch and notify their users to update and inform them that it’s very important to update.
When responsible disclosure is not practiced, it can wreak havoc and cause many thousands of websites to become compromised. There were a couple of very major plugin vulnerabilities over the course of 2021 where catastrophe was very much avoided because there was excellent communication with the public and responsible disclosure was practiced.
This practice is very much a key to a safer web and maintaining the integrity of website security for the broader public.
Unprotected admin panels are a major attack vector, and we see websites compromised due to this problem all the time. By default, WordPress and other CMS platforms do not have multi factor authentication or two-factor authentication. They also do not have a limit on the number of failed login attempts. And for the most part, administrator panels and login screens are publicly accessible, and it makes them very vulnerable to brute force attacks.
This causes untold thousands of websites to become compromised. And it’s a very major problem in the website security landscape. We would love to see two factor authentication enabled by default for WordPress and other CMS platforms.
Magento 2 has enabled this feature for new software installations. So, the industry is sort of trending in that direction, but it would be a major win for a safer web to have 2fa much more prevalent on websites.
Credit card skimming is definitely on the rise, especially for the WordPress platform. We’ve noticed over the course of 2021 that WordPress has kind of eclipsed Magento and open cart and other purpose-built e-commerce platforms for the presence of credit card skimmers.
Credit card scammers made up about 25% of the new signatures that we wrote for detecting new malware. We’re going to go over what that means a little bit later in this presentation, but credit card skimming is definitely more prevalent in 2021 than it was in previous years.
SEO spam, although it is kind of trending downwards overall, it’s still a very common infection and is very much a nuisance for website owners.
Backdoors are the backbones to many compromises — over 60% of compromised websites that we found from our clients contained a back door of some sort and they’re very prevalent. It is one of the most common ways that attackers maintain access to compromised environments, and we’ve also noticed that there’s two sorts of different families to malware: there’s malware that focuses on quantity, so spammers and redirects to scam sites and drive-by-downloads.
These attackers’ objective is to infect as many websites as possible, in fact as many visitors as possible in the shortest time period possible, they don’t really care about being hidden.
And on the other hand, there’s malware that focuses on quantity, which is usually credit card skimming malware. So, this malware goes to great lengths to stay hidden for as long as possible and that allows them to collect as many stolen credit cards as they possibly can.
There’s two different kinds of objectives and styles, two different kinds of malware that we see. In terms of the CMS platforms that our clients are using, no surprise there, WordPress is overwhelmingly represented amongst our client bases.
Interestingly the top three runner ups, Joomla, Drupal and Magento — when compared with data from previous years — are all trending very slightly downwards.
And WordPress is trending very slightly upwards, so presumably WordPress is absorbing the market share from these other CMS platforms that are sort of waning in popularity, and in terms of e-commerce websites and platforms like Magento.
We see more and more users are using WordPress and Woocommerce for their e-commerce platforms and I think not only does WordPress make up over 40% of the web as a whole, but it also makes up roughly 40% of known e-commerce platforms as well.
In terms of out-of-date CMS this goes across all platforms, not just WordPress but all CMS platforms, it was roughly 50/50.
So, about half of our users — 48% of them — were using a fully up to date and patched CMS and 52% worked. What does this suggest?
Well, the out-of-date CMS core files may not necessarily be the point of entry or the vulnerability that attackers exploit to compromise those websites.
Of course, we always recommend keeping all of your website software up to date and patched — that includes your core CMS WordPress, Joomla, Magento files — but it may not necessarily be the point of entry.
There are some very vulnerable CMS versions like Joomla one which is quite ancient now, but people still use it.
And there have been a few important but mostly maintenance security updates that WordPress has put out over the last year, but by and large, the presence of out-of-date CMS tends to be more of a symptom of a more out of date environment and poorly maintained environment in general and not necessarily the point of entry for the attackers, in terms of vulnerable software components.
This list here is the percentage of vulnerable software components that we found on compromised websites within our client base.
contact form seven is overwhelmingly the by and large the number one they’re by far the reason for this is this vulnerability, it was a file upload vulnerability that was discovered in December of 2020 so just a month before we started gathering the data for this report.
It’s a little overrepresented there for that reason, but it’s also a very, very common software component on a lot of websites. We see over one third of all detected out of date.
Software was contact form seven very interestingly Tim thumb was number two a distant second, but second.
Nonetheless, what’s really interesting about this is that the Tim thumb vulnerability is roughly a decade old.
It’s very, very, very old. And even to this day the presence of it, it persists. and what that sort of suggests to us is that once a major software vulnerability is discovered in a popular piece of software that’s not going away anytime soon, that is going to stick with the be a threat and a problem on websites for, potentially years to come.
In terms of the vulnerabilities that were discovered in the year 2021. 1st off, I’d like to extend a big thank you to all the security researchers across the web that helped discover these and help make the web a safer place for everyone and to get these patched.
With some notable exceptions on the left, we have the top 10 vulnerabilities in terms of, of usage. So, the plug-ins that have the most installations.
Woocommerce is number one there. And on the right-hand side we have the top 10 vulnerabilities from 2021 ranked by the CVS severity. So, what is that?
That is the higher the CVS score, the easier it is for attackers to exploit that vulnerability and compromise a website. You’ll notice that there are certain software components that are in both of these lists.
For example, thrive themes on the left and the right simple one reader redirects on the left on the right. These were very problematic because they were very easy for the attackers to exploit.
And there were a lot of websites and potential victims for those attackers to compromise. So those ones tended to cause the most issues. And there was also a couple of software extensions on this list on the right hand side, namely store locator plus with the little Asterix next to them, which indicates that those software components were abandoned by their plug in author and there is no patch, those caused a disproportionate number of website compromises for the fairly small user base that they had because there was nothing that those clients that those website owners could do except to put their website behind a firewall or in some cases completely redesigned their website from scratch, which is no easy undertaking for your average website owner.
In terms of the malware that we detected on our clients’ environments. This is the kind of distribution that we’re seeing. You might be asking, well wait a second. Ben 60 plus 60 plus 50 is more than 100.
The reason why there’s an overlap here is because more often than not when we Perform a malware cleanup on a client’s website, we find multiple different types of malware.
There’s almost always a back door. In this case we noticed over 60% of websites had a detective backdoor and if there’s malware on a website, there’s probably a backdoor. If there’s spam on a website – also, probably a back door. We also saw hack tools, phishing, defacements, mailers and droppers. But of course, malware is a pretty broad category.
But that was the most common sort of type of infection that we saw on a website. Over 50% of websites had some sort of S.
SEO spam which is a pretty high number When compared to previous years data, we’ve noticed that the types of malwares that are trending upwards are malware back doors.
Hack tools and phishing and the types of malwares that are trending downwards is SEO spam ever so slightly and defacements are still out there but they’re not really as common as they used to be a few years ago in terms of the most common types of website infections.
Now I’ll just briefly explain what a cleanup signature is. Well, a cleanup signature is basically what provides our tools with the information to clear a certain type of malware.
That’s an infection that redirects website visitors to scam sites and drive by downloads. The multi bars double oh four infection is a backdoor related to a basically fake Canadian pharmacy search engine redirect, which is a very common type of infection that we see.
So, some other common infections that we noticed on client websites were you see this big ugly piece of code here. This is a spam SEO redirect infection in an index.php file.
We saw site URLs and home injections were very, very common. This is sort of part and parcel with a year long campaign from attackers that exploit a series of vulnerable plugging vulnerabilities that have been discovered over the course of several years and there’s a few different flavors of this malware if you want to call it that.
But we see in the bottom image an example of that where essentially, the attackers are depending on the vulnerability sometimes able to change the WP options, values, tables and just redirect to a scam site or malware site and all the traffic from that victim website goes to a destination of their choosing.
There are a few other differences depending on the vulnerability that they’re exploiting. Sometimes you see many thousands of database injections in the wp_post table but by and large, the attacker’s goal here is to redirect visitors to scam sites.
We’ve also noticed an increase in malicious processes on victim websites. Once the malware gains a foothold in the environment it will spawn a process on the server, which will constantly reinfect the files as you try to clean them. You remove the injection and then two seconds later it reappears.
It’s very cumbersome and frustrating to remove and it requires SSH access to the server and a little bit of process management knowledge, but it’s quite a nuisance for remediation.
And from our perspective, speaking of nuisances, another very common type of malware that we noticed on clients’ websites was .htaccess nuisance malware.
This is malware that pollutes the environment with thousands of HT access files that interfere with the running of PHP scripts and basically just interferes with the regular operation of the website.
So very much a nuisance to get rid of and of course, not at all new, but SEO spam redirects were very, very, very common in victim environments.
We see in terms of the processes I was referring to. That’s an example of a malicious process right there. and this was commonly related to Anonymous Fox Malware, so this came up over and over and over again over the course of 2021 and previous years, Anonymous Fox is sort of an exploit kit that attackers can use to compromise websites, it’s sort of a purpose-built kit of tools that contains everything you could possibly need to compromise a vulnerable website.
It will automatically brute force a website for you automatically exploits known vulnerable plugins. It has functionality to take over the C panel from a compromised WordPress environment and it is very much a major, major nuisance in terms of the website security landscape, and I don’t think anonymous fox is going anywhere anytime soon in terms of backdoors.
This fancy little graph here is basically a breakdown of the different types of back doors that we identified on compromised websites. We see that over a third of detective backdoors were web shells and remote code execution.
Back doors were also very popular with attackers. These types of backdoors allow the attackers a lot of functionality in terms of what they’re able to do with compromised environments.
Web shells in particular give them a lot of leeway in compromising or playing with or further compromising the environment that they have.
It allows them full management of files and databases. Database is and gives them full control over the environment. remote code execution and uploaders were also very common uploaders are often the sort of point of entry for attackers and that allows them to upload other shells and backdoors into the environment to give them a little bit more flexibility in terms of what they can do to play around with the victim environment and deliver their, their payloads essentially credit card skimming malware was a major focus of the reports and was a major focus of remediation and research teams from last year.
Credit card skimming is definitely on the rise and definitely on the rise in WordPress, especially woo commerce environments. We blocked over 500 domains for credit card skimming during the course of 2021.
This is the greatest number of domains that we blocked for skimming in one year alone. In the previous years we’ve noticed it goes up and up and up and up and 2021 was the top number of domains we blocked for skimming.
interestingly if we looked at the CMS platforms that websites were using, that had known credit card skimmers detected by our site check tool Over one third of those were running WordPress and that number is set only to increase over the course of this year, 2021 was the year that WordPress overtook Magento in terms of major card credit card theft infections and we expect that trend to continue.
Interestingly, when we look at the number of new malware signatures that were written by our research team for PHP malware, over one quarter of all signatures written for PHP malware were credit card stealers – what does this tell us? Number one, the attackers are putting a lot more time and effort into writing new signatures and new mount writing new malware for victim environments and their goal and their objective there is to stay hidden and stay undetected for as long as possible.
And if we look at the new credit card skimming signatures that we wrote over 40% of them were for PHP back end. So that means it’s invisible to a regular visitor to the website.
Most major card researchers and people that are investigating credit card theft and compromised e-commerce websites online are typically only looking at JavaScript because that’s what is visible in the browser and that’s what they can see.
We have access to the back end for our clients for the most part and when they submit a malware removal request so we can see kind of behind the curtain as it were and a full over 40% of all new signatures for credit card, skimming mail were PHP.
If you’re a Magecart researcher and you’re looking at websites from the outside there’s a big portion on the other side of the curtain that you’re missing in terms of S. C. O.
Stamp. to the surprise of no one, pharmaceuticals are topping our list although we have seen in recent years a sort of shift towards different kinds of spam especially essay writing and knockoff brand name products which are sort of closely related with that.
Japanese spam detection that we see in number two but still pharma tops number one and probably always will top number one for the most common spam infections.
There’s a lot of reasons for that and I think just the lack of access to affordable pharmaceuticals in the western world is driving the desire for people to look for cheaper solutions online.
So that’s probably not set to change anytime soon. On the topic of SEO Spam, the notorious spam post infection was incredibly common.
lots and lots and lots of websites were affected with this type of malware. It’s more of a nuisance than anything but it’s a very simple hack once an unprotected WP admin administrator panel is compromised by the attackers.
All they do is log in and just have a blog post, links to spam for them spam posts and it links back to their spammy websites that they’re trying to promote. It’s a very easy attack to fix and remediate. All you have to do is delete the post and change your passwords.
But even easier to prevent in the first place, which would be adding some additional protections to your administrator panel like two F A. Or limiting failed login attempts.
If we look at phishing another quite common attack makes attackers money – that’s for sure. So, you can be sure that they will continue to do this in the future.
When we look at the types of signatures that we created over the course of 2021, over 50% of them were payload. So that is the main landing page that the attackers will send victims to when they send out bogus emails.
It will take you to a page that says, please log into your office 365 login or adobe or your bank. And that’s sort of the main focus for the attackers.
But there are some other component parts to most phishing kits, namely components such as scripts that prevent search engines from indexing those pages to try to stay hidden.
We also have mailers that will email either compromised credentials to the attackers once victims fall for the, for the phishing page or will sometimes actually be responsible for sending out the bogus emails to try to trick people into clicking on those links – and a very small sliver of phishing signatures that were generated in 2021 were just redirects.
All it does is send you to a page and then it sends you to somewhere else, to a different website that contains phishing. A lot of phishing malware use the same component kits.
We see a lot of commonalities between different phishing signatures and different phishing kits across many different websites. Defacements are definitely not as common as they were in the past, but there was one very interesting, noteworthy infection from 2021 which was a fake ransomware infection.
You see a screen capture of this here. There was no actual ransomware on these clients’ websites. It was actually just a defacement trying to trick the website owners into thinking that they were ransomware and to try to trick them into paying a ransom when in fact all of their website content was still there, they just had to run a couple of sequel commands to get it back up online out of the trash, I think it was or they had hidden it.
But this was a very interesting attempt by the attackers to try to monetize defacements. I would reckon that one of the reasons why defacements aren’t as common as they were in previous years is because they don’t make money for the attackers, they’re just, it’s just something attackers would do for fun or to get a rise or to, say, increase their profile in the attacker community to see how many sites that they could, they could deface.
This was an attempt to make money off defacements, which was quite interesting. In terms of our SiteCheck tool, you can go to sitecheck.sucuri.net if you’d like to do a free remote scan of your website.
The back end of SiteCheck when we look at the data over the course of 2021 shows us some interesting trends. there were over 132 million site check scans in total done.
over 10% of them had identified out of date software. Over 4% of them were identified as infected and over a third of all known infected websites were in fact affected with some sort of SCO spam and this list on the right-hand side, this is very much related to the site.
These are the top six domains that we saw the most often affected by and used in these website infections.
And we see over 10,000 known hits for that.
One thing that you’ll notice that’s quite interesting about this list is the prevalence of all of these are .ga and .tw domains. What are those?
Gabon and Taiwan seem like kind of a weird choice for attackers. Well, we can identify why that was the case in this next slide here.
There were a number of bulletproof hosting providers and domain registrars which actively promoted these two very two top level domains over the course of 2021 a bulletproof hosting provider is a hosting provider that tries to be allows often malicious actors are drawn to this type of hosting service because it tries to protect them from things like DMCA takedowns. They try to stay online for the attackers as long as they possibly can and sort of obfuscates the relationship between the attacker and the domain and the hosting service that they use.
And there were a number of providers that were actively promoting .tw and .ga domains over the course of the year. And of course, that is why we saw it very widely overrepresented in the types of malicious redirects and the domains that we saw used in those redirects over the course of the year.
So, since this domain registration page in particular has been taken offline, I don’t believe we’ve seen a single dot T W or dot G a domain used in a redirect since.
Quite interesting. And to conclude, if you’re a website owner and you would like to keep your website safe from attackers, there’s a few key principles that you have to follow.
Number one of course you’ll want to protect your admin panel with two factor authentication or other restrictions. Our firewall can help you do that very easily, but there are also free WordPress plugins available online that you can do that for free as well.
We would also highly recommend enabling automatic updates for your website to make sure that as soon as a security patch is issued you get updated right away and that gives the attackers almost no time at all to compromise your website.
You’ll also of course want to use strong passwords. There’s no substitute for that really, make sure that they’re long and complex. And we also recommend using a password manager if possible.
You’ll also want to make sure that you have a daily backup service for your website, files and database. This is very important, especially if you have automatic updates enabled every so often.
Something can be incompatible and maybe break. You’ll want to make sure that you have a fail safe fallback for a rainy day if you will. And of course, if you want some extra assistance with keeping your website safe from attackers, is to put your website behind a firewall, such as the security firewall that we offer to our clients.
So, that’s it for the report. Thank you very much for joining me. We hope you found that helpful and we will see you next time
See Full Transcript
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..