Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.

Why Websites Get Hacked

I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up:

Why would anyone ever hack my website?

Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.

Automation is Key

Understand that the attacks affecting a large number of website owners in the prosumer (a term I’m using to describe those website owners in micro- small – and medium sized business space leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, it’s important to revisit the subject as it’s still very relevant today.

The benefits of these automated attacks have not changed, they still provide the attackers the following benefits:

  • Mass Exposure
  • Reduces overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success

It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence I am referring to the order of events an attacker takes to compromise an environment.

A very simple illustration of the sequence would look something like:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories; attack of opportunity and targeted attack.

Attack of Opportunity

Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawl the web. It could have been something simple like having a plugin installed, or maybe displaying the version of a platform.

In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.

These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla! etc.)? If yes, is the website running any exploitable software (i.e. software vulnerabilities or bugs in code that can be exploited)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.

The sequence of events can happen in a matter of minutes, days or months. It is not a singular event, instead it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.

Targeted Attack

This is often reserved for the larger businesses, but not always. Think of the NBC hack in 2013, or the recent Forbes hack.There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult but the gains can be astronomical. That being said, a very common form of targeted attack can be seen in something known as a Denial of Service attack in which the attacker works to bring down the availability of your site – common between competing businesses.

With that in mind, targeted attacks are not always reserved for the big boys. They can be deployed against smaller sites and can be driven by competition or pure boredom and the need for a challenge. These attacks can range from very simple to very complex as well.

Hacking Motivations and Drivers

Now that we have a better appreciation for the How, let’s turn our attention to the Why. That is why you are reading this.

Economic Gains

The most obvious of the reasons is economic gain. This often manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.

A Drive-by-download is the act of deploying what is known as a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software like you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.

Blackhat SEO spam campaigns are not as devastating, however, in many instances can be more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This is rampant in the pharmaceutical space, but has also extended to other industries like gambling, fashion and many others. What they do is inject links through your website, sometimes you see them, sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.

System Resources

There is one motivator, the use of your resources, that many don’t talk about. When referring to resources, I am talking about things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off your stack.

You have likely heard of large botnets and I have also referenced them above. Botnets are nothing more than interconnected systems across the net; they can be desktops, notebooks and even servers – similar to your webserver. They can be employed to perform tasks simultaneously. These can include Denial of Service Attacks, Brute Force Attacks, or even some of the automated attacks mentioned above.

These attacks that target your system resources are dangerous mainly because of their ability to attack without you, the website owner, even realizing it. You go about your day with no worries with your website appearing to be in good standing and with no complaints. Then one day out of the blue, your host shuts you down, your usage bill is through the roof or you receive a notice from the authorities about your hacking attempts.

Hacktivism

This motivator is perhaps the one that’s the hardest to contend with when it comes to getting your head around it. Similar to others, the drivers for these attacks are monetary or abusive. However, they are more finding a way to protest around a religious or political agenda or to show off to peers within the hacking community.

A very common form of this can be identified with Defacements. The point of these attacks often comes down to some form of awareness. This form of attack can be combined with others, but in our experience often are somewhat benign and create more embarrassment to the site owner rather than affecting their users.

Pure Boredom

Something that always catches folks off guard is the idea of people attacking website out of boredom and amusement, but it’s very true. It’s unfair to say they are always young, but a good percentage of the teim they are teens bored at home.

There really isn’t much to say about this other than, put your kids into sports!!

Good Security Begins with Good Posture

It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly. I assure you they happen more often than note, and Google agrees being they blacklist close to 10,000 sites a day for malware and flag over 20,000 sites for phishing a month.

Bruce Schneider likes to say:

as a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.

It is a very true and a very sad sentiment that I have to agree with. It becomes very evident when I speak with website owners and they say, “I have had a website for 10 years, never been hacked, I don’t need to worry about it.” Those also always make for the most interesting and painful conversations when the hack does occur. Some go as far to accuse us, “I was fine then hear you speak, or read your post.” A bit over the top, I agree, but it gives you a very small window in the state of mind once the hack does happen.

I like to think of website security in the form of posture. It is through good posture that you position yourself for success. I take this from my Brazilian Jiu jitsu training, where its through posture that you can help prevent positions that would see you in a lot of pain.

Remember, security is not about risk elimination, but rather risk reduction. You have heard this time and time again, risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.

SoakSoak Malware Compromises 100,000+ WordPress Websites

This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru:

Google Blacklisting - SoakSoak.ru

Google Blacklisting – SoakSoak.ru

Our analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a few months back.


Read More

Understanding the WordPress Security Plugin Ecosystem

This post is available in Spanish (Este post está disponible en español).


As a child, did you ever play that game where you sit in a circle and one person is responsible for whispering something into one persons ear, and that message gets relayed around the circle? Wasn’t it always funny to see what the final message received would be? Oh and how it would have morphed as it was processed and conveyed by each individual in the group.

This is what I see when I look at the WordPress Security Ecosystem.

The biggest challenge the ecosystem faces is product and service confusion. This is compounded by a variety of factors. I often categorize them, generally into two buckets – deliberate and non-deliberate confusion. For me deliberate product confusion comes often by marketeers and those looking to make a quick buck on what they perceive to be the next virtual gold rush. While non-deliberate confusion is introduced by those that mean well, or were once affected, and have come up with a genuine solution that likely addresses a very narrow issue.

An easy way to better appreciate this is to look at the WordPress Security Plugins specifically, as they’re tangible and that makes it easier to truly appreciate the nuances of the security space.

Contrary to popular belief, not all plugins are the same or created equal and you can’t compare them as that would not be an apples to apples comparison.

Interestingly enough, there are often pretty unique differentiating factors between each of the security plugins in the market, although in many cases there are one to one correlations. Human nature is also one of the contributing factors to confusion. As humans we are often configured to go the easiest route. We’re always looking for the one with the biggest audience, or the one that is pushed on us the most. If everyone else is using it, I should too. Rarely do we truly understand or give much thought to this phenomena.

Read More

My WordPress Website Was Hacked

Before you freak out, allow me to clarify. It was one of several honeypots we have running. The honeypots are spread across the most commonly employed hosting companies. From Virtual Private Servers (VPS) to shared environments, to managed environments. In most instances we pay and configure them like any other consumer would so that we aren’t given any special treatment.

Honey Pot Systems are decoy servers or systems set up to gather information regarding an attacker or intruder into your system… A Honey Pot system is set up to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged or traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey Pot can be monitored and saved. – SANS

Our goal is simple; we want to better understand the dynamic nature of website security and continue to analyze and interpret attackers’ intentions. Having live sites that we allow to get hacked also keeps us sharp in terms of how we respond to these intrusions and, if we’re being completely honest, helps us to better understand the emotions that a website owner, like yourself, might go through. Between you and I though, it really gets us excited.. almost as excited as a spider when they feel their web vibrating as their prey struggles to free itself.. but I digress..

Sucuri - My Website was Hacked - Defacement

Sucuri – My Website was Hacked – Defacement



Read More

Backups – The Forgotten Website Security Pillar

I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads – namely website security education and awareness. In these travels, regardless of whether I’m speaking with a WordPress, Joomla, Drupal or another community, there are always common questions like, “How important is it to proactively protect my environment,” or, “How can I fix my environment after it’s been hacked?” Of course, those are really important questions, and as the CEO of a company that meets those needs, I’m more than happy to answer those big questions. But as I’ve traveled the country and answered those questions, I’ve noticed a fundamental lack of understanding of a more basic security need: backups, specifically how backups fit into the security spectrum.

Sucuri - Security Pillars

It’s very easy to get bogged down in the minutiae that makes up your website’s security, but as with everything, having a great foundation will provide the security required when everything else fails.


Read More

Responsible Disclosure – Sucuri Open Letter to MailPoet and Future Disclosures

Many don’t know who I am. My name is Tony Perez, I’m the CEO of Sucuri. I have the pleasure of calling this company my family and everyday I work for every person at this company. My partner is Daniel Cid. He is one of the foremost thought leaders in the website security domain, his influence extending far beyond the communities that make up some of the most popular CMS applications today.

Together we are building one of the fastest growing Website Security companies in the domain, we have one simple mission, to create a safer web. We are a technology company built by technologists with a special, quirky, idea that we can make a difference.

Many don’t realize that the bedrock of our business is Research, all facets of research. It’s how we stay ahead of the bad guys, or attackers. It’s a responsibility we have, not just to the general public, but one that we owe to our clients – in basic terms, it’s what they pay us for. It’s how we ensure our tools and technologies stay ahead of the rest and what makes us the ideal solution for every website owner, our commitment to the Website Security domain.

This has come to head recently from the huge debacle over the past few weeks in which we reported a very serious vulnerability in the WordPress MailPoet Plugin (WHYSIJA-NEWSLETTERS). In the coming days the attackers proceeded to identify, then begin to exploit the disclosed vulnerability.

Frankly put, the entire situation was very unfortunate.

Some Background on the Recent MailPoet Issue

Here is a more accurate timeline on the order of events:

  1. 2014, Jun 16: Notified MailPoet of the vulnerability, provided patching recommendations.
  2. 2014, Jun 16: MailPoet team replied and said they were working on a fix.
  3. 2014, Jun 18: Notified Sucuri that they had fixed the bug and would released a patch soon.
  4. 2014, Jul 01: The MailPoet team updated WP.org with the new release.
  5. 2014, Jul 07: MetaSploit Module released for the Vulnerability

The total order of events from took 15 days.

Upon release of the blog post the MailPoet team did contact us to express their discontent with our actions, and this was our response in the interest of transparency:

As far as disclosing the vulnerability, this is quite a common practice and the correct way to bring awareness to a security issue. A good example of a perfect security disclosure was done by the Automattic team with JetPack:

http://jetpack.me/2014/04/10/jetpack-security-update/

As soon as they released a patch, they notified all users and contacted multiple blogs to ask them to urge everyone to upgrade.

I imagine you are worried about brand impact, but every piece of software will have bugs and security issues at some point. It rarely has any brand impact and if you respond properly, it can have the opposite effect and be very good for you plugin and team reputation. The “We had an issue, we fixed and it won’t happen again” type of message that your users would prefer to hear from you than from some external blog.

As for us, we don’t do that for publicity. It is just part of our research and work that we do every day. Even before Sucuri started, we were auditing code and disclosing security issues. Our goal is to be ahead of the bad guys to protect our clients and help the web at a whole.

I leave it for you all, unedited.

Open Letter to MailPoet

As to be expected, the MailPoet team is pretty pissed off as it would be expected. So pissed in fact that they felt compelled to question our intent and whether we shared the same goals, so let’s talk about that for a minute.

Are we sure we are all aiming for an open, safe web in the WordPress community?

In an effort to provide some peace of mind and transparency in our thought process, please read this open letter to MailPoet:

Hi Mailpoet Team

First and foremost, I am sorry for the troubles you have been experiencing as of late.

Second, I did want to take a minute to clarify a few points to avoid speculation:

1 – Let’s start with reasonable time:

MailPoet Post: It’s common practice among software security circles to disclose bugs privately with software companies, then get a reward, credit and the possibility to write about it, given a reasonable amount of time to fix it.

You see, it’s all about a reasonable amount of time.

Responsible disclosure is about time to patch. That is what we provided. We disclosed only after your organization patched and made it publicly available.

Responsible disclosure has nothing to do with providing reasonable time after the patch to wait before disclosing publicly. Especially when you look at how the issue was highlighted, or lack there of in the change log.

Sucuri - MailPoet Security Disclosure

Nothing highlighted the seriousness of the issue, so we did. That’s what we feel is our responsibility. It’s buried and lacks any emphasis, it’s why so many in the security business subscribed to Full Disclosure (i.e., https://www.schneier.com/blog/archives/2007/01/debating_full_d.html)

This was a very serious vulnerability, one that deserved attention and we did so after it was patched, as is expected and is the norm.

2 – In regards to this:

MailPoet Post: effectively giving no time to users to upgrade their MailPoet version

It’s arguable that the only reason many updated their plugins when the patch was released was because of our public release and our ability to reach 100’s of thousands of WordPress Website owners. We were also able to make contact with hosts, managed host, and development shops.

3 – In regards to this:

MailPoet Post: before posting a detailed technical disclosure

We did not post a detailed technical post. We did not share a Proof of Concept which is actually very standard, we did reference elements that we felt had a greater impact than the ecosystem in which your plugin currently operates. Here is a snippet of the technical description you are alluding too:

Sucuri Post: Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

As you know, we also did not disclose any Proof of Concepts. We directed all those requests to your team to handle at your discretion.

4 – I presume this is meant to be a direct attack at us:

MailPoet Post: Are we sure we are all aiming for an open, safe web in the WordPress community?

If I misinterpreted the intent here, please do let me know. You are right though, our ambitions are much larger than the WordPress community, we’re pursuing a safer web we as a whole regardless of platform.

Again, I personally apologize and empathize with the struggles you have endured over the past week or so. Your struggles were not our intent, and not our driving force. Before this incident we had no relationship and had no interest in the space you are in.

That being said, if it ever becomes an issue in the future, for you or any other developer, we will follow the same protocol that we used with MailPoet.

All the Best,

Tony and Daniel

One small note, you mentioned:


There’s a difference between warning users and disclosing a 0 day vulnerability to the entire world on the same day of the bugfix release.

Small point of clarification, Zero Day vulnerabilities are those that are released and have no patch. Your vulnerability was patched, hence not being a Zero Day anymore.

Creating a Safer Web

Yes, in case you’re wondering, this is but the tip of the iceberg for us.

We will be proactively researching security issues across the wide spectrum that is Website Security. From CMS applications like WordPress, Joomla, osCommerce, vBulletin, etc… to web servers like Apache, NGINX, Windows IIS, and more. As stated before, it’s what makes us who we are and the responsibility we have to our clients as well as the wider audience of the web as a whole.

The time to be more proactive in our research and overall contribution to the web is now, not tomorrow or the day after. We stand fast in our convictions and will continue to push forward. Remember our responsibility is not the developers and designers, but the millions of website owners, their websites and their businesses.

All the best,

Tony / Daniel

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup with “XSS on Tweet Deck.” This obviously set every hair on my neck on fire, it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow that had the following javascript code. It would be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute on the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, Revoking Access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

Thumb Wars: Sucuri Acquires Google Webmaster Tools

Today Sucuri unofficially acquires Google Webmaster Tools.

Google Webmaster Tools

In an effort to combine forces of good, Sucuri officials challenged Google to a thumb wrestling war. Here is a breakdown of the event.

Over The Top

In a best-of-5 style tournament, the competition got heated. The underdog had fought well, and stayed in it to win it, they weren’t letting the big dog walk away with this. In what turned into an exciting but nerve recking competition, the tournament was at a 2-2 going into the final match. With great confidence, Matt Cutts from the Google team belted out that, “Google does no harm, but that doesn’t extend to your thumbs.” He was so confident that he bet the ranch, saying “winner takes all, including Google Webmaster Tools”.

The room went silent. You could see sweat on the faces of each of the competitors, no more than on the faces of our trusty Labs team. They knew what this meant. It was go hard now or go home empty handed.

The last match was about to start, and you could see white knuckles showing from the great pressure in grip arrangements. It was time, thumbs were arched, and hats were turned backwards. This could be the very moment where everything changed.

The start was called, and Google aggressively launched their attack, a quick launch sneak pin attack, but the Sucuri competitor saw it a mile away. Google missed their kill shot and Sucuri took advantage with an over-arching attack from the top ropes. Sucuri slammed down with the power of Zeus…Google was in trouble.

Coming to an End

One quick glance to the right and you could see Matt’s face twisted in horror. One quick glance to the left and you could see the Sucuri CTO, Daniel Cid, his face emotionless as he enjoyed his popcorn.

You could see the strain and distress across faces of team Google as they realized what was happening, as they realized how it was about to go down. The tip of their thumb was moving from shades of red to signs of failed purple. The counter by Sucuri was risky, but as strong as Eddie Bravo’s triangle to beat Royler Gracie in 1993. This was epic. You could just imagine what was going through team Google’s mind, “Sergey will never understand”

The crowd. Silent. Almost as if the hand of death had grabbed their shoulder. Stuck in sudden disbelief as to what was transpiring, and in complete anticipation as to what was next.

The referee started to count. It was as if slow motion was being called in slow motion. The ref kept counting, and counting. Then you had it. As quick as it had started, it was over.

Sucuri had won. On the line was Google Webmaster Tools which will now slowly be migrated to Sucuri Labs over the coming weeks.

In this moment of great triumph, the David-sized security firm looks forward to expanding website security efforts to all webmasters across the world, with the inclusion of this Goliath-sized prize.

No Fooling Around

If you’re interested in helping fight the good fight, make sure to check out our open job requisitions.

If you have questions about this fever dream of a completely fake post, please leave them in the comments below.

Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More

New iFrame Injections Leverage PNG Image Metadata

We’re always trying to stay ahead of the latest trends, and today we caught a very interesting one that we have either been missing, or it’s new. We’ll just say it’s new.. ;)

We’re all familiar with the idea of iFrame Injections, right?

Understanding an iFrame Injection

The iFrame HTML tag is very standard today, it’s an easy way to embed content from another site into your own. It’s supported by almost all browsers and employed by millions of websites today, use Adsense? Then you have an iFrame embedded within your site too.

Pretty nifty, I know. Like with most things though, the good is always accompanied with the bad.

Read More