Simplifying the language of website security

Screen Shot 2014-07-09 at 3.40.59 PM
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.

After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.

That’s for big websites, right?

Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”

Tony and I were floored when he told us that. But should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.

We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we also have an obligation to translate the language of website security so that website owner’s everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.


Read More

Phishing Tale: An Analysis of an Email Phishing Scam

Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time to time.

Here’s where the story begins:

Today, among all the spam that I get in my inbox, one phishing email somehow made its way through all of my block rules.

Spam email in our security team's inbox

Even our security team gets SPAM from time to time.

I decided to look into it a little further. Of course, I wanted to know whether or not we were already blocking the phishing page, but I also wanted to investigate further and see if I could figure out where it came from. Was it from a compromised site or a trojanized computer?

The investigation started with the mail headers (identifying addresses have been changed, mostly to protect my email ☺):

Blog1

The headers tell us that miami.hostmeta.com.br is being used to send the spam. It’s also an alert that some of the sites in this shared server are likely vulnerable to the form: X-Mailer: PHPMailer [version 1.73]. I decided to look into the server and found that it contained quite a few problems. This server hosts about twenty sites, some of which are outdated–WordPress 2.9.2 is the oldest–while others are disclosing outdated web server versions (Outdated Web Server Apache Found: Apache/2.2.22) and still others are blacklisted (http://www.siteadvisor.com/sites/presten.com.br). This makes it pretty difficult to tell where the spam came from, right?

Luckily, there’s another header to help us, Message-ID:. nucleodenegociosweb.com.br is hosted on miami.hostmeta.com.br and it has an open contact form. I used it to send a test message and although the headers are similar, the PHPMailer differs:

Blog2

What Do We Know Now?

We know who is sending the phishing messages, but what host are they coming from? There are some clues in the message body:

blog3

From that image, we can see that http://www.dbdacademy.com/dbdtube/includes/domit/new/ is hosting the image and the link to the phishing scam, but it doesn’t end there. As you can see from the content below, we’ll be served a redirect to http://masd-10.com/contenido/modules/mod_feed/tmpl/old/?cli=Cliente&/JMKdWbAqLH/CTzPjXNZ7h.php, which loads an iframe hosted on http://www.gmff.com.hk/data1/tooltips/new/.

Here is the content:
Phishing email

Problem Solved. Or is It?

In this case, there are three compromised sites being used to deliver the phishing campaign and it’s becoming very common to see this strategy adopted. The problem, from the bad guy’s point of view, is that if they store all of their campaign components on one site, then they lose all of their work when we come in and clean the website. If they split the components up and place them on multiple sites, with different site owners, then it’s unlikely that all of the sites will be cleaned at one time, which means their scam can continue.

As always with malware, it’s not enough for your site to be clean. You also need to rely on everyone else to keep their own site clean. When others don’t, your computer or website can be put at risk.

If you’re interested in technical notes regarding the type of research we do be sure to follow us on Twitter and be sure to check in with our Lab Notes. If you something interesting you’d like us analyze please don’t hesitate to ping us, we’re always looking for a new challenge.

Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware

As your site’s webmaster, have you ever seen an e-mail from Google like this:

Hello,

We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will also be disapproved.

Here’s what you can do to fix your site and hopefully get your ad running again:

1. Make the necessary changes to your site that currently violates our policies:
Display URL: site.com
Policy issue: Malware
Details & instructions:

2. Resubmit your site to us, following the instructions in the link above….

If so, you know the potential downside risk this poses for your website. In their own words, Google says,

In some cases, you may be unaware that you have malware on your site. But to protect the safety and security of our users, we stop all ads pointing to sites where we find malware.

In essence, Google and Bing care about their searchers more than your business so, to protect their customers, they’ll shut your website out of Adwords and Bing Ads and will return your site less in organic searches.

Often overlooked in the search business is the role of the actual search engine in the ad placement process. These are businesses that specialize in creating algorithms to show relevant search results, assigning quality scores to your landing pages and placing your actual ads. A lot goes into the process, but in all cases, the key for the search engine is to show relevant search results (including ads) that keep people using their search engine. It is in this spirit that search engines like Google and Bing reserve the right to refuse your ads. This is especially true if they have any reason to believe that your site may be infected with malware–including viruses, worms, spyware, and Trojan Horses–or is being used in phishing schemes.

From the search engine’s perspective, this makes perfect sense. Searches are their lifeblood and there are other search engines a person could use to find websites. By showing your ads or returning your site organically in a search, they are tacitly telling the searcher, “We found these sites to be relevant to you.” If they start sending you to sites that are potentially harmful, then a searcher could, potentially, switch search engines.

However, knowing why search engines work as they do doesn’t make it easier to be a webmaster when a site is hacked. Luckily, our clean up and malware removal tools as well as our de-blacklisting service are just a click away.

Or, better yet, keep yourself from ever getting an email like the one above from Bing or Google. Instead, protect your site, and business, from potential problems stemming from malware, blacklisting or phishing and look into protecting your site with a website application firewall like our CloudProxy WAF .

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.


Read More

NBC Website HACKED – Be Careful Surfing

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

Read More

Vote SPAM For President: New Election Tactics or Same Old Tricks?

The United States presidential campaign is going full force, and it’s been a doozy. We don’t typically get involved with political situations, short of cleaning some of the crazy defacements we see, this is an exception.

Vote Spam
This election campaign has brought its typical bashing via commercials, the usual rhetoric we see in interviews, and even those cool vote for (plug in your favorite candidate) stickers. My personal favorite was the vice presidential debate which left me feeling like I was on the grade school playground making faces and sticking my tongue out at the resident bully.

Times have adapted a bit, and the tactics have changed along with the advancements in communications, and social interaction. Twitter discussions boasting crazy statistics, Facebook posts about how awesome each candidate is, all of these have even spawned interesting debate and discussion in my own social groups.

Apparently, the crazy and debatably bad tactics stem beyond the historical mediums into our lovely world of geek. I guess it was only a matter of time.

We have drummed up a couple of theories on how this happened, ultimately it’s up to you to decide. More on that at the end.


Read More

Dealing with WordPress Malware

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

Google Safe Browsing Program 5 Years Old – Been Blacklisted Lately?

Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.

Here are some interesting data points:

  • 600 million users are protected
  • 9,500 new malicious websites are found every day
  • 12 – 14 million Google Search queries show malicious warnings
  • Provide warnings to about 300,000 downloads per day
  • Send thousands of notifications daily to webmasters
  • Sent thousands of notifications daily to Internet Service Providers (ISPs)


Read More

Website Cross-contamination: Blackhat SEO Spam Malware

We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.

We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:

Read More