Sucuri’s focus has always been on educating website owners about the latest threats and vulnerabilities — and much of that depends on our industry-leading research team.
As the holiday season approaches, we asked our researchers what recommendations they had for ecommerce website owners to protect their customers, maintain compliance, and mitigate security risks.
What do you do at Sucuri?
I am the Threat Research Team manager. My team and I actively search the internet for malware, exploits, and vulnerabilities. Whenever we identify a threat, we write tools to detect and block them — and share these findings and new research with the world.
What malware keeps you up at night?
The ones we haven’t found yet! Complex malware and exploits are always fun to work with and find solutions for, but a good night’s sleep can help you stay on the right path.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Website protection is a constant. My best recommendation is to be vigilant about your site’s security all the time — not just during higher-risk seasons like the holidays.
Avoid downloading and installing software from unofficial sources, perform periodic reviews of installed components and authorized users, keep everything up to date, use multi-factor authentication (or whitelist the IPs that can access the admin area) — there are so many recommendations to improve your website’s security…
What do you do at Sucuri?
I’m a Senior Malware Researcher. I analyze malware, tear it apart to understand it, work on ways to detect and clear it properly — all while client sites are up and running.
What malware keeps you up at night?
Every malware incident should be taken 100% seriously; there is no such thing as a small infection. A malware infection is just a consequence of a vulnerability in your environment. If an attacker is able to upload a simple “funny” defacement file, he’s capable of uploading and abusing anything there — from using it to store nasty content, to secretly turning your website into a botnet C&C.
If I were to pick one, we’ve seen a huge increase in credit card stealers over the last few years and their growth and consistent prevalence is alarming.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Use a website firewall. The majority of the modern attacks are the automated exploitations of known and zero-day vulnerabilities.
A good firewall (such as ours ) will provide strong protection against known vulnerabilities, even when your site is not fully patched. Since the principles of attacks are often similar, a firewall can also often catch zero-day vulnerabilities, mitigating risk from emerging threats — and we’re definitely protecting sites proactively.
Otherwise, follow standard security best practices. And don’t trust anyone…
What do you do at Sucuri?
I work as a security researcher. Our main job is to make sure users are protected against the latest security threats affecting popular CMS’.
What malware keeps you up at night?
We are always concerned about zero-day vulnerabilities. We test our solutions constantly to keep them relevant and effective. Attackers are always improving their techniques and attack vectors, so you need the same mindset to survive.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Keep all your software up to date. This is the most basic — and yet most overlooked — security practice. Also, don’t think you should only protect your site during the holiday season. Attackers can infect your site in well advance and you wouldn’t even notice.
It’s also important to engage your customer base with good security practices. Even if your website meets all the security requirements and is PCI compliant, keep in mind that the user is always the weakest link. Keeping your users updated with the best security practices is also your responsibility.
Enable security alerts for all of your financial transactions. This way, you can detect anomalies and act accordingly without having to wait for (or rely on) user’s complaints.
What do you do at Sucuri?
I research emerging threats that have the potential to impact our clients and analyze interesting malware samples for new techniques implemented by malware authors.
What malware keeps you up at night?
Malware that is used for intelligence/information gathering (i.e spying), which can then be used to launch more targeted attacks against the victims.
The recent CVE-2019-2234 vulnerability for Google and Samsung camera apps has demonstrated just how invasive this type of spying malware can be in terms of the sheer data it gathers.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Use payment processors, limit third-party software, remove unused software, and most importantly: have a system for monitoring your website’s environment. This will help you identify indicators of compromise and react faster, hopefully limiting any unauthorized access or fraudulent activity.
What do you do at Sucuri?
I’m a threat researcher, so I research threats!
This means finding vulnerabilities on popular applications, working on tools to improve our methodologies, and ensuring our WAF blocks the latest exploits.
What malware keeps you up at night?
Ransomwares are the worst.
They encrypt files, including old photos and videos, and request money to decrypt them.
This is one of many reasons why having backups is important — yet only a fraction of website owners use and maintain these critical assets.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Be ready to scale, you don’t want your website to experience any outages during this period!
Both in amount of visitors — which you need to be ready to serve — and in preventive measures against attacks like DDoS.
What do you do at Sucuri?
I am part of the Technical Security team: I write signatures for new malware so our tools can detect them and clean them. I refine and optimize any problematic signatures if there are false positives, and also work on more complex cases that require further attention. Sometimes, I get to write blog posts based on cases I worked on.
What malware keeps you up at night?
Surprisingly, even one small line of malware containing only a few characters long can be capable of wreaking havoc or endangering the security of a website.
It’s incredibly easy for attackers to leave a line of code in a random file as a backdoor, then come back to reinfect a website at a later time. Our team combats and resolves these scenarios every day — and we’re always working to improve our tools better detect this kind of malware.
Credit card stealing software also keeps me up at night; every time I buy something online with my credit card, I wonder if it will get stolen.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Getting blacklisted around the holidays can be devastating for any ecommerce website, since it seriously impacts brand reputation and revenue.
My recommendation to site owners is to review and ensure you are using the latest version of your software to patch known vulnerabilities. Now would also be a good time to change all of your passwords and start the new year fresh, as part of a website maintenance plan.
As users begin ramping up purchases for the holiday season, there are likely going to be holiday scams and spam going around. Always be vigilant and review activities and website behavior to make sure it’s not hosting any malware or spam.
What do you do at Sucuri?
I am a Tier 2 Security Analyst. My job is to clean up infected websites, find and investigate new malware infections and report them to our Research team, and identify new trends in the malware landscape.
What malware keeps you up at night?
Most of the malware that I see is pretty pedestrian — pharmacy spam, essay/jersey spam, and all other kinds of spam. Other more severe types of infections like credit card swipers cause me much more concern, and honestly make me hesitate to use anything other than a prepaid credit card for online shopping. I’ve also seen malware that drops all database tables for no reason other than spite. But really, the only type that keeps me up at night is ransomware — once that hits your computer or website there’s no recourse.
What recommendations do you have for ecommerce website owners to protect their sites during the holidays?
Most credit card swiper malware that I see is very simple — all they need to do is brute force your administrator panel and insert a single line of JavaScript from a malicious domain. To mitigate risk, protect your admin panel with 2FA and use a custom login URL.
Other common threats that I see are when attackers modify the actual PHP or JS files on the server, and the best way to protect against this is to restrict FTP/SFTP/SSH login to only whitelisted IP addresses. Use SSH key authentication rather than password authentication. Also, pet every cat you see (this grants you good karma).
Val Vesa
Ben Martin
Art Martori
Fioravante Souza
Bruno Zanelato
Pilar Garcia
Marc Kranat
Krasimir Konov