• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Labs Notes Monthly Recap – Nov/2016

December 16, 2016Estevao AvillezEspanolPortugues

FacebookTwitterSubscribe

Time for another monthly recap! If you haven’t seen the other monthly recaps, make sure to check out October and September. Our malware research and incident response teams publish technical content in the Sucuri Labs Notes. The knowledge and recommendations are useful to keep your website and visitors safe.

This month we saw a large variety of cases being analyzed by our team, including some interesting SEO spam techniques, malware-injected databases, and conditional malware targeting specific mobile platforms.

Credit card skimmers are the primary issue that we have been writing about, especially with the holidays getting closer. More online shopping means more chances for the bad guys to have access to credit card information.

Geo location and Credit Card Data Stolen from Magento

Krasimir Konov

Normally we see credit card details being stolen and emailed to attackers, or stored in a text file on the server. We have raised awareness about these types of ecommerce hacks in the past. Here we are seeing geo-location information (IP Address, Country, Region, City) added as a malicious variable, $datasend, along with sensitive credit card info.

Magento hackers are specifically using the mail() function on compromised servers. An integrity monitoring service can easily detect the file modifications and allow for quick recovery of hacked Magento sites.

Read More

Spam SEO Injector Circumventing Defense Techniques

Luke Leal

Here we analyze a hack that adds a rewrite rule to the .htaccess file, which causes an SEO spam payload to be delivered to certain visitors who request HTML files in a specific directory.

By checking the request headers for IP addresses, HTTP referrers, and the HTTP useragent, the spammers can send the spam only to visitors coming from search engines. If the prerequisites aren’t met, the spammers send the visitors to their affiliate link instead of the SEO spam content.

These attackers included a function which prevents many security plugins and extensions from mitigating the attack. If the security tool uses the file extension .suspected to quarantine suspicious files, the malware will change the file back to a PHP extension.

Read More

Malware DB Injection Called via Theme File

Krasimir Konov

Most often we find SEO spam hidden and generated within the file structure. In this post, we analyze a well-hidden database injection inside the themes_config option of a WordPress database. The malware is called from the database using the get_option() function inside of a theme file. From there, the script injected into the database checks the referral headers for specific useragents who receive the spam content.

Using a good website firewall can help prevent this kind of database injection from happening in the first place.

Read More

The Tale of a Malicious Stored Procedure

Douglas Santos

Most database injections are related to spam, but in this case our analysts found a stored procedure in the database. When executed, it writes a PHP uploader into WordPress using the fake filename wp-includes/class-wp-change.php

If anyone attempts to remove the file, the stored procedure in the DB regenerates the file. This allows the attackers to retain access to the site and continue their malware campaign. We are seeing a lot of self-replicating malware like this, which makes it difficult for admins to clean their infected sites.

Read More

Malware Targets Mobile Platforms

Cesar Anjos

Spammers use conditional malware that detects the type of device that users are browsing on in order to deliver mobile-specific malvertising and web spam. We look at a malware injection inside a WordPress header.php file that redirects users to malicious mobile downloads and pop-up spam.

Our free online scanner SiteCheck runs several scans to emulate different user agents. This allows you to detect problems on your site that may only be visible to visitors coming from certain countries, browsers, referrers, and devices.

Read More

Multiple UNIX Users Symbolic Link Injector

Yuliyan Tsvetkov

This malware infects Linux servers and injects symbolic links in every home folder, and first confirms that the server is Linux with the symlink function enabled on the PHP engine. We are seeing this campaign being used for defacements via a .htaccess redirect.

On a shared server, this infection can quickly spread to all sites on the server through these symlinks.

The infection avoids detection and blacklisting by search engines, because it redirects requests from those useragents to a 404 page.

Read More

Malicious Routine Stealing WordPress Credentials in the Wild

Douglas Santos

We have covered a few incidents where attackers steal login credentials to a website and either email them to themselves, or store the credentials in a file on the server.

This time, we look at a piece of malware that sends the compromised login and password to an external site controlled by the attacker. Rather than using the mail() function or creating a curl request, attackers injected a single line of malware inside the wp-login.php file that uses the function file_get_contents() to post the username and password to the remote website, encoded in base64, making it difficult for someone to notice it.

Read More

Unwanted Sex Toys Advertisement

Eugene Wozniak

This incident affected an HTML-based website. Normally we write about malware affecting a particular CMS, but in this case it is a static site suffering from the infection. It’s important to note that these sites are also targets of attacks.

The website was showing unwanted floating banners advertising sex toys. The malware itself used JS Packer compression to obfuscate the payload, and could be injected into several HTML pages on the website.

Read More

New Version of Magento Credit Card Stealer in the Wild

Cesar Anjos

Credit card stealers continue to evolve and put ecommerce sites at risk. This new variant of malware intercepts credit card data being sent to PayPal by the Magento file: app/code/core/Mage/Paypal/Model/Direct.php

We recognized the gmail account as the same attacker who has received stolen credentials in the past.

Another variant uses the file app/code/core/Mage/Checkout/Model/Type/Onepage.php to intercept data using the OnePage checkout module.

Read More

FacebookTwitterSubscribe

Categories: Security Education, Sucuri UpdatesTags: Industry Reports, Malware Updates

About Estevao Avillez

Estevao Avillez is Sucuri’s Senior Director of Security Research, who joined the company in 2013. Estevao’s main responsibilities include leading the Research Group, which includes the Malware, Vulnerability and WAF/Sucuri Infrastructure. His professional experience covers 15 years with planning, project and operations management. Estevao has also worked in various areas such as logistics and supply chain, media and communication, telecommunications, and trading relationships with customers. He’s worked as a consultant in financial, strategic and operational management. When Estevao isn’t keeping our customers safe, you might find him taking care of his kids and running. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Getting Started with Sucuri Webinar

Getting Started with Sucuri Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.