Hacked Website Threat Report
An analysis of the latest trends in malware and hacked websites at Sucuri & GoDaddy.
An analysis of the latest trends in malware and hacked websites at Sucuri & GoDaddy.
Date aired: July 6th, 2022
In this webinar we cover the latest findings from our 2021 Hacked Website Threat Report. We shed light on some of the most common tactics and techniques we saw within compromised website environments and our remote scanners. Plus, learn about some of the most notable infections, top cleanup signatures, and tips to mitigate risk.
About the Presenter: Ben Martin
Ben Martin is a security analyst and researcher who joined Sucuri in 2013. Ben’s main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn’t slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat.
Hello everyone. Thanks for joining our webinar here at security for the 2021 Hacked Website Report. My name is Ben Martin — I am from Victoria BC Canada, and I am an analyst and researcher with security. I’ve been with the company since 2013.
I was a contributor to this report. It was a great project to work on and I’m excited to share our findings with you. We put together this report to detail the different trends in malware and the threat landscape on the web over the course of 2021 and describe where we have seen the trajectory and the direction that malware and web threats are headed.
I hope you find this webinar helpful and informative. At the very end of this presentation, we’re going to be going over some helpful tips and tricks for website owners like yourselves to keep your website safe and sound from hackers.
So, without further ado here is our 2021 hacked website report webinar presentation.
Most importantly, the key takeaways:…
We’ve noticed that by and large the most common reason for website compromises have been vulnerable plugins and extensions. When a vulnerability is found in an especially popular website, plugin, or software, it can wreak havoc and result in a lot of hacked websites. The websites that were at the biggest risk for this type of website compromise are ones that are poorly maintained and out of date and not patched. The ones that had the lowest risk were websites that had automatic plugin updates enabled.
So, if you’re able to, we would strongly recommend enabling auto updates and making sure that your websites are well maintained and patched.
On that note, responsible disclosure is very much a key to a safer web. Responsible disclosure is when there’s a software vulnerability that’s discovered in a piece of software: the developer is contacted in private, and some time is given to them to issue a patch and notify their users to update and inform them that it’s very important to update.
When responsible disclosure is not practiced, it can wreak havoc and cause many thousands of websites to become compromised. There were a couple of very major plugin vulnerabilities over the course of 2021 where catastrophe was very much avoided because there was excellent communication with the public and responsible disclosure was practiced.
This practice is very much a key to a safer web and maintaining the integrity of website security for the broader public.
Unprotected admin panels are a major attack vector, and we see websites compromised due to this problem all the time. By default, WordPress and other CMS platforms do not have multi factor authentication or two-factor authentication. They also do not have a limit on the number of failed login attempts. And for the most part, administrator panels and login screens are publicly accessible, and it makes them very vulnerable to brute force attacks.
This causes untold thousands of websites to become compromised. And it’s a very major problem in the website security landscape. We would love to see two factor authentication enabled by default for WordPress and other CMS platforms.
Magento 2 has enabled this feature for new software installations. So, the industry is sort of trending in that direction, but it would be a major win for a safer web to have 2fa much more prevalent on websites.
Credit card skimming is definitely on the rise, especially for the WordPress platform. We’ve noticed over the course of 2021 that WordPress has kind of eclipsed Magento and open cart and other purpose-built e-commerce platforms for the presence of credit card skimmers.
Credit card scammers made up about 25% of the new signatures that we wrote for detecting new malware. We’re going to go over what that means a little bit later in this presentation, but credit card skimming is definitely more prevalent in 2021 than it was in previous years.
SEO spam, although it is kind of trending downwards overall, it’s still a very common infection and is very much a nuisance for website owners.
Backdoors are the backbones to many compromises — over 60% of compromised websites that we found from our clients contained a back door of some sort and they’re very prevalent. It is one of the most common ways that attackers maintain access to compromised environments, and we’ve also noticed that there’s two sorts of different families to malware: there’s malware that focuses on quantity, so spammers and redirects to scam sites and drive-by-downloads.
These attackers’ objective is to infect as many websites as possible, in fact as many visitors as possible in the shortest time period possible, they don’t really care about being hidden.
And on the other hand, there’s malware that focuses on quantity, which is usually credit card skimming malware. So, this malware goes to great lengths to stay hidden for as long as possible and that allows them to collect as many stolen credit cards as they possibly can.
There’s two different kinds of objectives and styles, two different kinds of malware that we see. In terms of the CMS platforms that our clients are using, no surprise there, WordPress is overwhelmingly represented amongst our client bases.
Interestingly the top three runner ups, Joomla, Drupal and Magento — when compared with data from previous years — are all trending very slightly downwards.
And WordPress is trending very slightly upwards, so presumably WordPress is absorbing the market share from these other CMS platforms that are sort of waning in popularity, and in terms of e-commerce websites and platforms like Magento.
We see more and more users are using WordPress and Woocommerce for their e-commerce platforms and I think not only does WordPress make up over 40% of the web as a whole, but it also makes up roughly 40% of known e-commerce platforms as well.
In terms of out-of-date CMS this goes across all platforms, not just WordPress but all CMS platforms, it was roughly 50/50.
So, about half of our users — 48% of them — were using a fully up to date and patched CMS and 52% worked. What does this suggest?
Well, the out-of-date CMS core files may not necessarily be the point of entry or the vulnerability that attackers exploit to compromise those websites.
Of course, we always recommend keeping all of your website software up to date and patched — that includes your core CMS WordPress, Joomla, Magento files — but it may not necessarily be the point of entry.
There are some very vulnerable CMS versions like Joomla one which is quite ancient now, but people still use it.
And there have been a few important but mostly maintenance security updates that WordPress has put out over the last year, but by and large, the presence of out-of-date CMS tends to be more of a symptom of a more out of date environment and poorly maintained environment in general and not necessarily the point of entry for the attackers, in terms of vulnerable software components.
This list here is the percentage of vulnerable software components that we found on compromised websites within our client base.
contact form seven is overwhelmingly the by and large the number one they’re by far the reason for this is this vulnerability, it was a file upload vulnerability that was discovered in December of 2020 so just a month before we started gathering the data for this report.
It’s a little overrepresented there for that reason, but it’s also a very, very common software component on a lot of websites. We see over one third of all detected out of date.
Software was contact form seven very interestingly Tim thumb was number two a distant second, but second.
Nonetheless, what’s really interesting about this is that the Tim thumb vulnerability is roughly a decade old.
It’s very, very, very old. And even to this day the presence of it, it persists. and what that sort of suggests to us is that once a major software vulnerability is discovered in a popular piece of software that’s not going away anytime soon, that is going to stick with the be a threat and a problem on websites for, potentially years to come.
In terms of the vulnerabilities that were discovered in the year 2021. 1st off, I’d like to extend a big thank you to all the security researchers across the web that helped discover these and help make the web a safer place for everyone and to get these patched.
With some notable exceptions on the left, we have the top 10 vulnerabilities in terms of, of usage. So, the plug-ins that have the most installations.
Woocommerce is number one there. And on the right-hand side we have the top 10 vulnerabilities from 2021 ranked by the CVS severity. So, what is that?
That is the higher the CVS score, the easier it is for attackers to exploit that vulnerability and compromise a website. You’ll notice that there are certain software components that are in both of these lists.
For example, thrive themes on the left and the right simple one reader redirects on the left on the right. These were very problematic because they were very easy for the attackers to exploit.
And there were a lot of websites and potential victims for those attackers to compromise. So those ones tended to cause the most issues. And there was also a couple of software extensions on this list on the right hand side, namely store locator plus with the little Asterix next to them, which indicates that those software components were abandoned by their plug in author and there is no patch, those caused a disproportionate number of website compromises for the fairly small user base that they had because there was nothing that those clients that those website owners could do except to put their website behind a firewall or in some cases completely redesigned their website from scratch, which is no easy undertaking for your average website owner.
In terms of the malware that we detected on our clients’ environments. This is the kind of distribution that we’re seeing. You might be asking, well wait a second. Ben 60 plus 60 plus 50 is more than 100.
The reason why there’s an overlap here is because more often than not when we Perform a malware cleanup on a client’s website, we find multiple different types of malware.
There’s almost always a back door. In this case we noticed over 60% of websites had a detective backdoor and if there’s malware on a website, there’s probably a backdoor. If there’s spam on a website – also, probably a back door. We also saw hack tools, phishing, defacements, mailers and droppers. But of course, malware is a pretty broad category.
But that was the most common sort of type of infection that we saw on a website. Over 50% of websites had some sort of S.
SEO spam which is a pretty high number When compared to previous years data, we’ve noticed that the types of malwares that are trending upwards are malware back doors.
Hack tools and phishing and the types of malwares that are trending downwards is SEO spam ever so slightly and defacements are still out there but they’re not really as common as they used to be a few years ago in terms of the most common types of website infections.
Now I’ll just briefly explain what a cleanup signature is. Well, a cleanup signature is basically what provides our tools with the information to clear a certain type of malware.
That’s an infection that redirects website visitors to scam sites and drive by downloads. The multi bars double oh four infection is a backdoor related to a basically fake Canadian pharmacy search engine redirect, which is a very common type of infection that we see.
So, some other common infections that we noticed on client websites were you see this big ugly piece of code here. This is a spam SEO redirect infection in an index.php file.
We saw site URLs and home injections were very, very common. This is sort of part and parcel with a year long campaign from attackers that exploit a series of vulnerable plugging vulnerabilities that have been discovered over the course of several years and there’s a few different flavors of this malware if you want to call it that.
But we see in the bottom image an example of that where essentially, the attackers are depending on the vulnerability sometimes able to change the WP options, values, tables and just redirect to a scam site or malware site and all the traffic from that victim website goes to a destination of their choosing.
There are a few other differences depending on the vulnerability that they’re exploiting. Sometimes you see many thousands of database injections in the wp_post table but by and large, the attacker’s goal here is to redirect visitors to scam sites.
We’ve also noticed an increase in malicious processes on victim websites. Once the malware gains a foothold in the environment it will spawn a process on the server, which will constantly reinfect the files as you try to clean them. You remove the injection and then two seconds later it reappears.
It’s very cumbersome and frustrating to remove and it requires SSH access to the server and a little bit of process management knowledge, but it’s quite a nuisance for remediation.
And from our perspective, speaking of nuisances, another very common type of malware that we noticed on clients’ websites was .htaccess nuisance malware.
This is malware that pollutes the environment with thousands of HT access files that interfere with the running of PHP scripts and basically just interferes with the regular operation of the website.
So very much a nuisance to get rid of and of course, not at all new, but SEO spam redirects were very, very, very common in victim environments.
We see in terms of the processes I was referring to. That’s an example of a malicious process right there. and this was commonly related to Anonymous Fox Malware, so this came up over and over and over again over the course of 2021 and previous years, Anonymous Fox is sort of an exploit kit that attackers can use to compromise websites, it’s sort of a purpose-built kit of tools that contains everything you could possibly need to compromise a vulnerable website.
It will automatically brute force a website for you automatically exploits known vulnerable plugins. It has functionality to take over the C panel from a compromised WordPress environment and it is very much a major, major nuisance in terms of the website security landscape, and I don’t think anonymous fox is going anywhere anytime soon in terms of backdoors.
This fancy little graph here is basically a breakdown of the different types of back doors that we identified on compromised websites. We see that over a third of detective backdoors were web shells and remote code execution.
Back doors were also very popular with attackers. These types of backdoors allow the attackers a lot of functionality in terms of what they’re able to do with compromised environments.
Web shells in particular give them a lot of leeway in compromising or playing with or further compromising the environment that they have.
It allows them full management of files and databases. Database is and gives them full control over the environment. remote code execution and uploaders were also very common uploaders are often the sort of point of entry for attackers and that allows them to upload other shells and backdoors into the environment to give them a little bit more flexibility in terms of what they can do to play around with the victim environment and deliver their, their payloads essentially credit card skimming malware was a major focus of the reports and was a major focus of remediation and research teams from last year.
Credit card skimming is definitely on the rise and definitely on the rise in WordPress, especially woo commerce environments. We blocked over 500 domains for credit card skimming during the course of 2021.
This is the greatest number of domains that we blocked for skimming in one year alone. In the previous years we’ve noticed it goes up and up and up and up and 2021 was the top number of domains we blocked for skimming.
interestingly if we looked at the CMS platforms that websites were using, that had known credit card skimmers detected by our site check tool Over one third of those were running WordPress and that number is set only to increase over the course of this year, 2021 was the year that WordPress overtook Magento in terms of major card credit card theft infections and we expect that trend to continue.
Interestingly, when we look at the number of new malware signatures that were written by our research team for PHP malware, over one quarter of all signatures written for PHP malware were credit card stealers – what does this tell us? Number one, the attackers are putting a lot more time and effort into writing new signatures and new mount writing new malware for victim environments and their goal and their objective there is to stay hidden and stay undetected for as long as possible.
And if we look at the new credit card skimming signatures that we wrote over 40% of them were for PHP back end. So that means it’s invisible to a regular visitor to the website.
We have access to the back end for our clients for the most part and when they submit a malware removal request so we can see kind of behind the curtain as it were and a full over 40% of all new signatures for credit card, skimming mail were PHP.
If you’re a Magecart researcher and you’re looking at websites from the outside there’s a big portion on the other side of the curtain that you’re missing in terms of S. C. O.
Stamp. to the surprise of no one, pharmaceuticals are topping our list although we have seen in recent years a sort of shift towards different kinds of spam especially essay writing and knockoff brand name products which are sort of closely related with that.
Japanese spam detection that we see in number two but still pharma tops number one and probably always will top number one for the most common spam infections.
There’s a lot of reasons for that and I think just the lack of access to affordable pharmaceuticals in the western world is driving the desire for people to look for cheaper solutions online.
So that’s probably not set to change anytime soon. On the topic of SEO Spam, the notorious spam post infection was incredibly common.
lots and lots and lots of websites were affected with this type of malware. It’s more of a nuisance than anything but it’s a very simple hack once an unprotected WP admin administrator panel is compromised by the attackers.
All they do is log in and just have a blog post, links to spam for them spam posts and it links back to their spammy websites that they’re trying to promote. It’s a very easy attack to fix and remediate. All you have to do is delete the post and change your passwords.
But even easier to prevent in the first place, which would be adding some additional protections to your administrator panel like two F A. Or limiting failed login attempts.
If we look at phishing another quite common attack makes attackers money – that’s for sure. So, you can be sure that they will continue to do this in the future.
When we look at the types of signatures that we created over the course of 2021, over 50% of them were payload. So that is the main landing page that the attackers will send victims to when they send out bogus emails.
It will take you to a page that says, please log into your office 365 login or adobe or your bank. And that’s sort of the main focus for the attackers.
But there are some other component parts to most phishing kits, namely components such as scripts that prevent search engines from indexing those pages to try to stay hidden.
We also have mailers that will email either compromised credentials to the attackers once victims fall for the, for the phishing page or will sometimes actually be responsible for sending out the bogus emails to try to trick people into clicking on those links – and a very small sliver of phishing signatures that were generated in 2021 were just redirects.
All it does is send you to a page and then it sends you to somewhere else, to a different website that contains phishing. A lot of phishing malware use the same component kits.
We see a lot of commonalities between different phishing signatures and different phishing kits across many different websites. Defacements are definitely not as common as they were in the past, but there was one very interesting, noteworthy infection from 2021 which was a fake ransomware infection.
You see a screen capture of this here. There was no actual ransomware on these clients’ websites. It was actually just a defacement trying to trick the website owners into thinking that they were ransomware and to try to trick them into paying a ransom when in fact all of their website content was still there, they just had to run a couple of sequel commands to get it back up online out of the trash, I think it was or they had hidden it.
But this was a very interesting attempt by the attackers to try to monetize defacements. I would reckon that one of the reasons why defacements aren’t as common as they were in previous years is because they don’t make money for the attackers, they’re just, it’s just something attackers would do for fun or to get a rise or to, say, increase their profile in the attacker community to see how many sites that they could, they could deface.
This was an attempt to make money off defacements, which was quite interesting. In terms of our SiteCheck tool, you can go to sitecheck.sucuri.net if you’d like to do a free remote scan of your website.
The back end of SiteCheck when we look at the data over the course of 2021 shows us some interesting trends. there were over 132 million site check scans in total done.
over 10% of them had identified out of date software. Over 4% of them were identified as infected and over a third of all known infected websites were in fact affected with some sort of SCO spam and this list on the right-hand side, this is very much related to the site.
These are the top six domains that we saw the most often affected by and used in these website infections.
And we see over 10,000 known hits for that.
One thing that you’ll notice that’s quite interesting about this list is the prevalence of all of these are .ga and .tw domains. What are those?
Gabon and Taiwan seem like kind of a weird choice for attackers. Well, we can identify why that was the case in this next slide here.
There were a number of bulletproof hosting providers and domain registrars which actively promoted these two very two top level domains over the course of 2021 a bulletproof hosting provider is a hosting provider that tries to be allows often malicious actors are drawn to this type of hosting service because it tries to protect them from things like DMCA takedowns. They try to stay online for the attackers as long as they possibly can and sort of obfuscates the relationship between the attacker and the domain and the hosting service that they use.
And there were a number of providers that were actively promoting .tw and .ga domains over the course of the year. And of course, that is why we saw it very widely overrepresented in the types of malicious redirects and the domains that we saw used in those redirects over the course of the year.
So, since this domain registration page in particular has been taken offline, I don’t believe we’ve seen a single dot T W or dot G a domain used in a redirect since.
Quite interesting. And to conclude, if you’re a website owner and you would like to keep your website safe from attackers, there’s a few key principles that you have to follow.
Number one of course you’ll want to protect your admin panel with two factor authentication or other restrictions. Our firewall can help you do that very easily, but there are also free WordPress plugins available online that you can do that for free as well.
We would also highly recommend enabling automatic updates for your website to make sure that as soon as a security patch is issued you get updated right away and that gives the attackers almost no time at all to compromise your website.
You’ll also of course want to use strong passwords. There’s no substitute for that really, make sure that they’re long and complex. And we also recommend using a password manager if possible.
You’ll also want to make sure that you have a daily backup service for your website, files and database. This is very important, especially if you have automatic updates enabled every so often.
Something can be incompatible and maybe break. You’ll want to make sure that you have a fail safe fallback for a rainy day if you will. And of course, if you want some extra assistance with keeping your website safe from attackers, is to put your website behind a firewall, such as the security firewall that we offer to our clients.
So, that’s it for the report. Thank you very much for joining me. We hope you found that helpful and we will see you next time
See Full Transcript
Similar Past Webinars
In the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Webinar – 2022 Website Threat Report Webinar
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
Webinar – Virtual Patching Webinar
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
Webinar – Hacked Website Threat Report 2021
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
Webinar – Logs: Understanding Them to Better Manage Your WordPress Site
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
Webinar – Personal Online Privacy
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Webinar – Why Do Hackers Hack?
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
Webinar – WAF (Firewall) and CDN Feature Benefit Guide
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Webinar – Preventing Cross-Site Contamination for Beginners
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
Webinar – Getting Started with Sucuri!
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Webinar – How to Account for Security with Customer Projects
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..