Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.
Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.
Get Your Bearing
While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.
goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2 goo.gl/24vi1 - http://bls.pw/
A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:
Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).
Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.
What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.
Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):
*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.
If you are visiting it from Chrome or Firefox would get the following warning:
Today Google released a nice post: Safe Browsing – Protecting Web Users for 5 Years and Counting. In it they provide a good summary of what they have been up to the past 5 years with their Safe Browsing program.
Here are some interesting data points:
- 600 million users are protected
- 9,500 new malicious websites are found every day
- 12 – 14 million Google Search queries show malicious warnings
- Provide warnings to about 300,000 downloads per day
- Send thousands of notifications daily to webmasters
- Sent thousands of notifications daily to Internet Service Providers (ISPs)
We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.
Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.
ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.
If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:
If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.
The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.
If you have any questions about malware, blacklisting, or security in general, send it over to us: firstname.lastname@example.org and we will answer here. For all the “Ask Sucuri” answers, click here
This is an update to our previous post about Google blacklisting. We have some updated numbers to share.
Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?
Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?
To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.
- Average time from submission to removal: 440 minutes (about 7 hours)
- Maximum time: 792 (13 hours)
- Minimum time: 290 (a bit less than 5 hours)
On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.
How do you increase your odds of getting cleared faster?
- Make sure to clean everything up!
- Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
- Follow best practices to increase security on your site so that you minimize the risk of reinfection.
That’s it. Let us know if you have any questions or comments.
Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!
We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:
Suspicious conditional redirect.
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105
This is caused by this entry that is added to the .htaccess file of the compromised sites: