Hacked Website Threat Report 2022

Hello, everyone. Thanks for joining us. This is the 2022 annual website Security Threat Report webinar presented to you by security and GoDaddy. We’re going to be looking at the trends in the website Security landscape that we observed over the course of last year. Of course, if you want to read the full report, you can find that at https://sucuri.net/reports/2022-hacked-website-report/.

I will be your presenter today. My name is Ben Martin and I’ve been with Sucuri since 2013. I’m a security analyst and researcher — and I hail from Victoria, British Columbia, Canada. I’m also a frequent contributor to the blog and was a contributor to the threat report. So we hope you enjoy it. Let’s get started with some of the key takeaways from the 2022 reports.

The three main malware campaigns are rather the most prominent and aggressive campaigns that we’ve noticed over the course of the year were very similar to previous years. That is SocGholish. Then Balada Injector and Japanese SEO spam. We will be going into further detail on all three of those later on in the presentation here. Magecart attacks saw some very interesting developments within that particular type of infection: credit card theft malware.

We noticed that, overwhelmingly, WordPress websites using WooCommerce are among the most common victims of this sort of malware. And again, we’re going to go into those details a little bit here in this presentation. Nearly half of all infected websites contain some form of SEO spam, which of course is a major nuisance for website owners. The most common website signature or rather single type of malware was .htaccess malware which creates malicious allow and deny rules.

This is a major pain to remove, and it’s closely related to the Japanese SEO spam attack. This malware is also frequently paired with malicious processes running within the environment that immediately re-infects the files as soon as you try to clean it, so it’s a major nuisance if your website is impacted by this type of infection.

Also, nearly 70% of infected websites contain some sort of backdoor. Backdoors are almost par for the course with most malware infections because it allows the attackers to reinfect the environment, even after you’ve changed your passwords. So if you’re a regular website owner and you’re trying to clean up your environment, you need to make sure to get rid of all of the backdoors that the attackers planted within the websites.

Furthermore, nearly one third of databases which contained malware did contain a malicious administrator user. This is, in a sense, a different type of backdoor within an environment because it still allows the attackers back end access and allows them to reinfect the environment again, even after you’ve removed the malware in the payload from the website. So let’s go through each of these key points and kind of extrapolate on them a little bit.

We’re going to start first with this software distribution of our clients. Keep in mind, this does not represent the software distribution of the web as a whole and only pertains to our clients and the infected websites that we dealt with over the course of the year. Of course, we can see that WordPress is overwhelmingly the most common CMS platform used by our clients, and 96.2% of infected websites that we dealt with use WordPress. It is by far the most common. Now, keep in mind this is not to suggest that WordPress is any less secure than any other CMS platform. It is simply the most popular in use among website owners, and so it’s a larger target for the attackers. Conversely, platforms like Joomla, Magento and Drupal have continued their very slight decline in terms of prominence across the clients that we’ve worked with over the years. And WordPress continues to inch upwards as the overwhelmingly most popular CMS that they use, very similar to previous years. 

Roughly half of all infected websites contained out-of-date CMS at the point of infection. So we can say that conversely, half of all websites infected websites that we worked with over the course of the year had a fully patched CMS software in use. Obviously, you want to keep things patched and up to date as much as possible, but there are a lot of other things that pose a greater attack surface than just out of date core files. And that includes software plugins and themes and other components as well.

And on that topic, the top three vulnerable software components that we observed over the course of 2022 were Contact Form 7, Freemius Library, and WooCommerce. Now, of course, those three pieces of software are safe to use if they’re fully patched and up to date. So just make sure that you have a good security posture and that you’re keeping your website up to date and patched in order to decrease the potential attack surface for attackers to gain a foothold in your environment.

This is also the second year in a row that Contact Form 7 topped the list in terms of the proportion of out-of-date and vulnerable software that we identified. Next, let’s take a closer look at some of the malware families and campaigns that we noticed over the course of the year. These numbers are pretty similar to previous years, with malware and backdoors being by far the two most common types of infections.

Now you’ll notice a little bit of a percentage overlap here, and that’s because when we scan websites, very rarely is there only one type of malware or backdoor within the environment. Usually there is both malware and a backdoor or SEO spam and a backdoor or phishing and a backdoor. And so there’s a little bit of an overlap there.

In comparison to previous years, both malware and backdoors increased slightly in prominence and SEO spam decreased just a little bit, but they’re mostly consistent with previous years and the proportion of nasty software that we’ve observed in infected environments. Now, in terms of other types of malware that we see here, like hack tools, phishing, defacement and mailers, they’re roughly on par with previous years and we haven’t seen any major shifts in the proportion of those types of malware when compared to those.

Let’s take a look at some of the most interesting and common malware campaigns that we observed. The first of which we’ve called the bootloader injector. This is malware that goes all the way back to 2017, and it is a very aggressive malware campaign done by threat actors who are aggressively exploiting old and new vulnerabilities within software components.

So this is often known as the human verification redirect scam. So what the malware does is it redirects visitors to a website to fake scam pages, which ask you to click to verify that you’re human. But what it actually is, is a drive by download, which tricks users into downloading things like spyware and adware and Trojans and other potentially unwanted programs within onto your workstations.

This malware is very aggressive. It’s been around since 2017 and it’s probably infected over a million websites by now based on our numbers. And this malware often makes use of the same types of obfuscation within their code. The next is SocGholish, and SocGholish malware gained a lot of notoriety among other security companies in recent years, although we’ve been tracking this for quite a few years before that.

This is more commonly known as the fake browser updates malware, and it is commonly the first stage in targeted ransomware infections that affect endpoint workstations, even ones in corporate environments. So essentially these are drive-by downloads which trick the user into downloading a fake Google Chrome update, which is actually a remote access Trojan. So as you know, and users make sure that you’re only installing software and updates from the official source.

This is pretty notorious malware that’s been going on for a very long time. And not only is it one of the most common types of infections, but it’s also one of the most severe in terms of its consequences. Over the course of 2022, it took a few different forms, for a while it was floating around as a fake Cloudflare Human Verification Pop up, but it sort of eventually morphed back into the regular old JavaScript injections that we’ve seen for years.

And credit card skimmers. There was actually some very interesting developments in this year or in 2022 and the previous couple of years, which has been a major shift in the landscape for for Magecart credit card theft malware in terms of actual just big picture numbers, credit card skimmers don’t impact as nearly as many websites as other things such as SEO spam.

However, the consequences for this type of malware can be very dire for website owners. E-commerce website administrators can pay thousands of dollars in fines to companies like Visa if they have a credit card skimming attack on their website left unattended for too long. So this type of malware is usually called magecart, and that’s because it originated on the CMS platform, Magento, which is a dedicated e-commerce platform.

However, since the end of 2019, we’ve noticed that a lot of the malware that was originally intended for Magento environments has been repurposed to affect WordPress websites that use WooCommerce to the point now in looking at our data from 2022, WooCommerce is overwhelmingly what Magecart malware impacts and we can see this demonstrated with the file names and paths on this chart on the right.

So we see that the top four file paths for Magecart infections are all WordPress. We can also see that, you know, through this major TCP IP file and some of the other ones listed here that Magento is certainly still represented and still targeted by attackers. But at this point in time, WooCommerce WordPress websites Eclipse Magento. In terms of just the general sheer number of credit card skimmers that we find in these infected environments.

Interestingly, you can also see that overwhelming only credit card skimming malware affects PHP files rather than JavaScript. We still see JavaScript infections, of course, but it’s overwhelmingly fewer at this point, which will make a really big difference for other security researchers that are investigating magecart infections because these PHP files, they’re not externally viewable. You cannot view them in your browser.

So this is going to have a really huge impact on other magecart researchers looking into these types of infections. Next, let’s take a look at the distribution of backdoors that we’ve identified within compromised environments. So again, you know, over two thirds of infected websites contained a backdoor and also that that number will increase if you also consider malicious administrator users to be backdoors, which they essentially are the top three most common types of backdoors that we observed in infected environments were remote code execution backdoors, web shells and uploaders.

Remote code execution backdoors are very popular among attackers because it gives them a lot of control and leeway over their ability to infect environments and it gives them a lot of control over what they can do when they gain a foothold in an environment similar to web shells as well. It gives them a lot of control. A web shell will give the attackers pretty much full control over the file system, the databases and even processes running within the environment, which can cause very aggressive infections that can be very difficult to deal with.

And of course, good old fashioned uploaders allow attackers to upload other types of malware like phishing pages and other sorts of things. It’s also very common for attackers to put backdoors into random or obscure file paths. So if you’re just a regular website administrator that’s trying to deal with an infection, it can be very tricky because attackers can sometimes upload hundreds of backdoors into an environment and if you miss one of them, then they’ll be back and they’ll reinfect the environment.

So it can be very, very cumbersome and very challenging for average website owners to deal with a website infection in a thorough manner. That’s also kind of a testament to the importance of having good file integrity monitoring and having a good security posture in general. When you’re operating a website. Let’s next take a look at SEO spam. So this was the third most common infection overall and over half a million websites were identified with having an SEO spam infection by our site check tool over the course of the year.

In fact, just about half of all infected websites contain some sort of spam. Spam infections, of course, aren’t as devastating as a credit card skimming attack, for example, but they’re still a massive nuisance for website owners, especially if you’re concerned about your SEO as a website admin. If Google finds spam on your website, it can be devastating for your search results and for your SEO rankings.

And so it’s very important to have a good security posture and prevent the attackers from affecting your website with one of these infections. Doorways in particular were very common. Doorways will pollute your Google search engine rankings with thousands or tens of thousands of spammy links, and it can be a major nuisance to get rid of those affected by SEO spam infections.

It can take weeks or longer to fully clean your search results of all these spammy results. So it’s a nuisance to say the least, and the types of spam infections that we saw, or rather the, I guess, keywords that they’re that they’re trying to rank for are pretty much the same as they’ve always been Fake or knock off pharmaceutical products, essay writing, service services, knock off luxury goods, even cracked software and others.

We see the same stuff over and over. It’s basically unchanged from previous years. And what is a website’s report without a special mention of phishing the bane of a web surfer. It wasn’t in terms of absolute numbers, it wasn’t hugely common, but it was still about one out of every ten infected websites that had some sort of phishing on them.

Phishing, of course, is fake login pages created by attackers with the intention of stealing credentials. And the most common types of phishing pages that we saw were for Netflix, Discover, Delta Airlines, Adobe, Microsoft, and of course, PayPal. Attackers will use pre-made ready made phishing kits that they distribute over, you know, wide numbers of websites. And if they can hack your cPanel, sometimes they’ll actually make subdomains like Chase bank dot your website dot com to try to give a little bit more legitimacy to their malware.

Of course, if you’re just a regular web surfer or user, you’ll always just want to make sure that you’re not falling for any social engineering attacks and be very cautious where you enter in your login credentials and just make sure that it’s only on the official websites. So that about does it for the Threat Report webinar. Thanks for joining us.

I want to extend a special thank you to all of the other contributors to the 2022 threat report here at Sakurai. It was a great time working on this report. I always look forward to it every year, working on these now. I think if you can take away one thing from this webinar or this report, I would recommend that it be sort of reflecting on your own security posture, either as a website administrator or just a regular Internet user.

You know, we always have to be nobody wants to deal with security issues or malware, but it’s just kind of a fact that it’s out there and you need to be aware of it and have a good security posture and practice defense in depth to try to take every opportunity and everything that you could possibly do to prevent attackers from infecting your website or your computer.

And I think it’s also very important to remember that as website owners, you’re not just worrying about you and not just worrying about your website, but, you know, a malware infection on your website will impact your customers and it will impact your clients and the visitors to your website. So as website administrators, we have a responsibility to take security seriously.

And I guess as a parting thought, I would suggest that you enable auto updates or automatic updates on your websites, put your site behind a firewall and add to IFAD your log in page. Thanks for joining us.