Our free SiteCheck tool helps website owners remotely scan their website to detect malware infections, blacklisting status, website errors, and other anomalies. Scanning a website’s external HTML source code provides immediate results, without the need to install any software or applications to identify threats.
In September alone, a total of 17,138,086 website scans were performed using SiteCheck. Of those scans, 178,299 infected sites were detected. While not as comprehensive as server-side scanners, users are able to instantly identify malicious code, find outdated software and plugins, and detect website security issues.
Website Malware Infections
Website infections can happen for a number of reasons, but they’re often the result of bad actors trying to monetize a hacked website’s SEO, traffic, or server resources.
Common attack vectors include brute-force attacking insecure credentials, exploiting website vulnerabilities, or phishing — which can ultimately lead to SEO spam, malicious redirects, injected content, backdoors, obfuscated scripts, phishing pages, and other website malware.
To identify trending malware, we analyzed the top ten signatures from SiteCheck in September.
As indicated in the table above, SEO spam is one of the most common types of malware seen from the scan data last month. A total of 70,583 sites were detected with SEO spam infections, accounting for 39.59% of website infections detected by SiteCheck in September.
SEO attacks often result in unwanted spam content and redirects to other websites. Left untreated, this can significantly impact a website’s rankings and organic traffic, leading to blacklisting — and potentially damage to a website’s reputation and loss of revenue.
Unsurprisingly, the majority of spam content was related to pharmaceutical industries, male enhancement pills like Viagra and Cialis, and Japanese spam.
On the other hand, SEO spam for sport jerseys has steadily declined in the past year — this may be due to fewer professional sporting events being hosted globally since the pandemic.
Instead of manually targeting individual scripts for each site, attackers use a list of the most common files and libraries loaded on web pages. For example, jquery.js and jquery-migrate.min.js are loaded by almost all modern WordPress sites.
In recent years, our team has also seen injections disguising as third-party resources to avoid detection — including jQuery and Google Analytics scripts. These techniques are not surprising, given the popularity of these services for most websites.
In September’s data sets, we also identified a total of 2,446 defaced websites. Defacements typically come in the form of modified website content and imagery, and the most common causes occur due to password compromises, website vulnerabilities, improper hosting or site configurations, or existing malware infections.
Attackers can be motivated to deface a website for a number of reasons, including political or religious reasons — or to simply wreak havoc in the name of hooliganism.
Outdated Software & Components
During our analysis, we found 2,726,174 scanned websites contained outdated software including core CMS, server software, and extensible third-party components like plugins and themes.
While not all outdated software can lead to a vulnerability exploit, website owners are strongly encouraged to keep all website software updated with the latest security patches to mitigate risk. Bad actors often leverage automation tools to rapidly launch campaigns to identify and target vulnerable websites.
If keeping software and components updated is challenging or you don’t have automatic updates, a web application firewall can be leveraged to virtually patch known vulnerabilities. September’s data revealed 2,177,049 websites were using an identifiable firewall to protect from malware, brute force attacks, DDoS, and zero-day exploits.
Last month, a total of 19,665 websites contained blacklisted resources. That means that 11% of infected sites were found to include HTML elements referencing blacklisted domains.
Another 3,720 websites contained blacklisted redirects. The majority of malicious redirects are caused by modified web-server configuration files like .htaccess, which reroute website visitors to an attackers website or other unwanted destination.
We queried September’s data to compile a list of the most noteworthy blacklisted domains, and broke down the reasons behind the blacklisting.
The top three domains (lowerbeforwarden[.]ml, solo.declarebusinessgroup[.]ga, and declarebusinessgroup[.]ga) are all related to a massive, ongoing WordPress infection that we’ve been following for several years. This campaign targets and exploits websites with known plugin vulnerabilities, typically redirecting visitors to various kinds of scam landing pages — including tech support scams, fake lottery wins, and malicious browser notifications.
The fourth most common blacklisted domain (hostingcloud[.]racing) is related to an ongoing cryptomining campaign which first appeared back in 2018, when in-browser cryptomining became a popular way to monetize website traffic.
Belonging to the CoinImp cryptominer, bad actors have been rotating hostingcloud’s domain name in obfuscated scripts to mine for cryptocurrency without consent. In-browser mining’s popularity has been on the decline in the past couple of years, and this data indicates that these scripts most likely have been lingering for a year or more — web masters probably aren’t detecting and properly handling this infection.
When an issue is detected in SiteCheck that isn’t directly related to blacklisting or malware, other helpful recommendations are provided to help educate our users on potential website issues.
Here is a breakdown of the top five most common security problems found on websites in the past month.
During the month of September, 12.67% of scanned websites were missing a Content Security Policy (CSP) directive. CSP’s are an extremely useful tool that can help you mitigate some of the risks of XSS attacks and other content injection vulnerabilities.
Another 13.33% of websites had issues identified in pre-existing CSP’s. Problems ranged from unknown directives, to unsuitable ‘unsafe-inline‘ and ‘unsafe-eval’ keywords, and even syntax errors within policy headers.
12.64% of websites had no detected website application firewall (WAF). Installing a cloud-based WAF can help mitigate DDoS, virtually patch vulnerabilities, and prevent website hacks.
Missing X-Frame-Options security headers were detected for 12.26% of scanned websites in September. This header helps improve security against clickjacking, preventing attackers from iframing the contents of your website onto another.
Additionally, nosniff security headers were a common issue. A total of 11.67% of websites found to have missing X-Content-Type: nosniff security headers. This header can improve the security of your website (and traffic) by protecting against some types of drive-by-downloads.
September saw the following three categories trending for detected infections.
Signature Family: spam-seo?japanese.0
The malware signature spam-seo?japanese.0 was flagged for 21,253 contaminated sites last month, and was the most common infection detected in September.
Belonging to a subcategory of Japanese spam, this signature is for a specific black-hat SEO campaign responsible for creating website doorways which redirect Japanese visitors to malicious websites selling counterfeit goods.
Indicators of compromise include:
- Japanese search results for non-Japanese websites, including modified meta descriptions and titles
- Impacts on hosting account disk quotas as malicious files are added to the website, sometimes in the thousands
- 404 errors in Webmaster Tools and Search Console
The second most common signature found during SiteCheck scans last month was malware?blacklisted_resource.1 and was identified on 19,665 contaminated websites.
This presence of this signature is an indicator of compromise, as the site has been found to load a resource (either script or iframe) from a blacklisted domain. Our team has identified that a large percentage of these blacklisted resource detections belong to a massive ongoing WordPress campaign targeting multiple known software vulnerabilities.
Signature Family: redirect?conditional.0
Flagged for 11,686 contaminated sites last month, the generic redirect?conditional.0 signature identifies malicious redirects from search engines, checking to ensure that results are the same for all users.
The primary indicator of compromise for this signature is malicious redirects for organic website visitors. To evade detection by regular site visitors and owners, malware often employ special techniques to exclusively redirect new visitors from search engines. SiteCheck identifies and flags suspicious redirects which only occur under special conditions.
This month’s data sets revealed the following insights:
- 2,726,174 scanned websites contained outdated software which could potentially lead to an exploit.
- 70,583 sites were infected with SEO spam, accounting for 39.59% of website infections.
- 19,665 scanned websites contained malicious scripts or iframes from blacklisted domains.
- 12.67% of scanned websites were missing a Content Security Policy, which can help mitigate XSS and other content injection vulnerabilities.
- 11% of infected sites were found to include scripts and iframes from blacklisted domains.
- 12.64% of websites had no detected website application firewall (WAF).
SEO spam infections continue to be one of the leading types of threats found on compromised websites, and outdated software continues to be a major security issue for website owners. As seen in previous reports, bad actors are evolving their malware campaigns to target and exploit vulnerabilities in popular third-party components.
While no solution is 100% capable of protecting your website’s environment, there are a number of different solutions you can leverage for an effective defense-in-depth strategy. Consider using file integrity monitoring or website monitoring services to detect anomalies, blacklisting, and indicators of compromise. You can also utilize a web application firewall to block attacks, mitigate DDoS, and virtually patch known vulnerabilities.
Do you have comments or suggestions for this report? We’d love to hear from you! Share your feedback on Twitter.