Our Remediation group is comprised of two distinct teams, the Incident Response Team (IRT) and Malware Research Team (MRT). These teams work closely with our customers in an effort to identify and remove website infections to include malware, SEO spam and a number of other malicious actions attackers take once successfully penetrating a websites defenses. It’s through these teams that we stay in tune with the emerging website threats, while offering our customers the most efficient remediation services.
This group currently remediates a little over 500 infected websites a day, 7 days a week. With this kind of volume we thought it was time we analyze the data. So we did! Focusing on January through march, Quarter 1 of 2016, we were able to profile the types of open-source CMS applications in our network, how many were out-of-date at the time of infection and place special emphasis on the types of infection payloads the attackers are using. With this information, we’ve prepared our first Website Hacked Report 2016 (Quarter 1).
Our analysis consisted of over 11,000 infected websites that we had enough data for. We feel this is a representative sample, and over time will prove more impactful when we look at the year as a whole.
The four open-source Content Management Systems (CMS) we focus on in our report include: WordPress (78%), Joomla! (14%, Magento (5%), and Drupal (2%). The report shows some historical trends, such as a 196% growth in infections in Magento between 2015 and 2016 Q1.
We dive into specific information around the out-of-date software, specifically how it pertains to the state of a website when going through our cleanup process. Some interesting datasets include that WordPress installations are out-of-date 56% of the time, but that is nothing compared to Joomla! (85%), Magento (97%) and Drupal (81%).
We briefly dive into specific extensible components within the WordPress platform as it makes up the largest sampling in our environment (75%) and place special emphasis on the top three plugins contributing to the most issues and that make up 25% of the contributing vectors we are currently seeing.
We also focused on understanding specifically what attackers were doing once they successfully compromised a website. Specifically the types of malware and nefarious actions they were performing once they successfully penetrate a websites defenses.
We divide it into the specific malware families we identify with. It’s been interesting to see the rise of Search Engine Poisoning (SEP) attacks in which the attackers inject SEO spam into a website targeting it’s Search Engine Result Pages (SERP). SEO poisoning of a website came in at 32%, while 68% of the time we found backdoors on each of the sites.
New Website Security Report
I’m especially proud of our ability to share this information with the greater website security industry, and hope you find it insightful. I already have thoughts on way to improve it i the future, but look forward to your thoughts as well. I would really appreciate it if you took some time to read it and share it if you find it valuable.
In our next report, we have already updated our system to start tracking more pertinent data that we feel could be more actionable for all website owners. My hope is that we can double, if not triple our sample base with more consistent and relatable datasets.