Last year was a busy one in the world of website security. Our 2019 Threat Research Report shows that over 60% of websites we cleaned had a vulnerability at the point of infection, up 4% over 2018. SEO spam remained a universal threat, while backdoors allowed hackers to reinfect sites recovering from an initial attack.
Much is due to outdated CMS software and applications (like plugins and extensions) — an attack vector which, along with other vulnerabilities, facilitates the hacks and attacks we’re about to cover.
Before we get started, understand this list is by no means a comprehensive guide. Some things it covers are broader topics, while others are more specific examples. But these are 10 things likely heard last year in website security discussions — and understanding them goes a long way in supporting your own plan for a secure online property for the future.
1. SEO Spam
Have you ever seen a website with out-of-place content that advertises something unrelated to the purpose of the site? For example, a personal blog might rank in search results for pharmaceuticals. Or a municipal website could display content for porn or gambling.
This is SEO spam, where hackers use unauthorized access to hijack the visibility of legit websites. By adding content like links and ads, they steal traffic and direct it to another site set up to further their goals.
It’s one of the most common and fastest-growing infections we see today, with 62% of websites we handle infected by SEO spam. An untreated SEO spam infection can not only damage a site’s trust and reputation, but also cut off organic traffic due to blacklisting.
2. Cross-site scripting
Imagine a poacher leaving traps on someone else’s property, exploiting the wildlife that believes it’s safe to visit. That’s one way to understand XSS attacks.
XSS makes our list because it represents 43% of all vulnerabilities our remediation team worked on in 2019. In terms of our Web Application Firewall (WAF), XSS attacks made up 2.43% of all blocked attacks.
3. SQL injections
If your website uses a SQL database (say, in order to have user logins), SQL injections (SQLi) are something you should understand. These attacks start with hackers using an input field — often used for searching or logging in — to enter SQL statements which then execute malware within the database.
For website owners who store personally identifiable information (PII), SQL injections are a huge threat. Imagine hackers getting access to payment-card data or medical records.
Our WAF blocked over 2 million SQLi attacks in 2019, representing 1.55% of all attempts. Cleaning up the aftermath is a lengthy, involved process where our remediation team must manually interact with the infected database in order to ensure everything is safe.
4. Brute force
As the name implies, these attacks rely on a less sophisticated approach. Hackers use automated scripts to run through thousands of combinations of user names and passwords until one works. Brute force attacks rely on weak passwords, so understanding and adhering to password security best practices mitigates the risk.
In addition to strong passwords, a website firewall reduces the risk of brute force attacks. Last year, our WAF stopped 1.3 million brute force attempts — 0.38% of all blocked attempts.
5. DDoS attacks
With distributed denial of service (DDoS) attacks, hackers first recruit a vast army of bots (automated programs that perform malicious functions) by injecting them into compromised devices. Devices can range from laptops and smartphones to appliances connected to WiFi. This botnet can then take down a website or application simply by the sheer number of requests it sends.
Remember the days when every phone was on a landline? Back then, a group of pranksters would target a single line with dozens of calls, leaving the victim unable to do much else than pick up the phone. The same principle applies here.
The motivation for DDoS attacks varies, but always hinges on damaging the victim’s online presence. For example, hacktivists might seek to damage an institution they oppose. An unscrupulous business rival might even pay for a DDoS attack against a competitor.
Backdoors were so common last year, 47% of infected sites we saw had malware that allows hackers to reinfect the victim. Backdoors often work in tandem with webshells, interfaces hackers use as admin panels to modify the files and applications on an infected website.
Imagine cracking the combination to a vault, and then adding a second security code to open it. The owner would notice the robbery, but wouldn’t realize you still had access as stuff continued to go missing.
Phishing makes our list because it continued to grow in 2019, despite the increased awareness of this common scam. Hackers are getting better at targeting victims with emails — seemingly from a trusted source — that evoke the classic combination of fear, uncertainty, and doubt (FUD).
FUD urges the victim to perform an action or supply information, furthering the scam set up by hackers.
The biggest campaigns in 2019 related to Netflix, followed by PayPal. We also updated our WAF with hundreds of new signatures to detect phishing with popular brands like Microsoft, Apple, and Bank of America.
In 2019, nearly every phishing campaign we saw used a mailer script. When numerous spam emails go out from a single place, email providers and spam authorities put it on their blacklist, taking away the ability to send more emails.
That’s why hackers install mailer scripts, which automatically send out tons of spam from a compromised site. That site gets shut down, and then the hacker moves on to a new target. Meanwhile, the recent victim is left unable to send legitimate mail, and often marked as spam or blocked entirely.
9. Credit card stealers
This term refers to several types of malware on our list applied to a single purpose: stealing credit card information stored by ecommerce merchants or transmitted to and from shoppers.
In years prior to 2019, we’ve seen bad actors dedicating smaller amounts of resources to developing one-size-fits-all hacks that had a smaller chance of success, but targeted larger numbers of sites.
Last year, however, hackers leveraged a highly customized approach to target popular websites with more traffic and users. With that in mind, consider some of our data from last year:
- More than 1,700 client-side and 600 server-side credit card stealers were removed from infected websites by our remediation team.
- Our research team added 178 new ecommerce malware signatures to SiteCheck and our monitoring, detection, and cleanup resources.
- The Magecart infection saw a large number of attacks against ecommerce websites using CMS applications including Magento and WordPress.
- More than 5,000 websites contained credit card skimmers, while a total of 1,845 blacklisted skimmer resources were detected.
10. Plugin vulnerabilities
Rounding out our list isn’t a hack or attack created by bad actors, but rather one that’s self inflicted by website owners. Sites with outdated components — including themes, plugins, and extensions — don’t stand a chance against any of the hacker-initiated threats we just covered.
There’s an ongoing race between developers of these components and hackers seeking to exploit them. And it’s a close race, as last year we found 56% of CMS applications were outdated at the point of infection.
When hackers find an exploit, developers quickly release an update to patch it. Website owners who don’t apply updates in a timely manner become easy targets for any bad actor who knows what’s been targeted recently.
Key takeaway from last year’s hacks & attacks
Website security starts with an understanding of the threat landscape. It reveals the importance of adhering to best practices and proactively securing an online property, typically with measures like a comprehensive security solution.