Yoast and Sucuri Partner to Create a Safer Web

Yoast and Sucuri

We’re very excited to finally talk about a partnership that’s been in the works for a few months and in light of the serious nature of the Security in the WordPress ecosystem it only makes sense. It also comes at a time where we, as an organization, are reinvesting into Website Security space through extensive research which gives us a better grasp of the real threat landscape looks like for website owners.

Benefits of the partnership can be seen and felt by both organizations. Over the past 3 weeks we, Sucuri, have been undergoing big changes in our branding and messaging and many have already started to comment. For Yoast, security audits have begun and updates have been proactively pushed to their users. It is our belief that through this partnership we will be able to make a bigger impact to the online threats website owners face on a daily basis. For those wondering, none of Yoast’s plugins or updates to them that we’ve audited contained any serious vulnerabilities.

This post will talk to the specifics of the partnership and how we will be working together.

Regular Security Audits Drive Customer Trust in Yoast Plugins

Read More

Simplifying the Language of Website Security

Screen Shot 2014-07-09 at 3.40.59 PM
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation with his family.

After a long day of conversations with the rest of the tech world, we needed to get a bite to eat and we decided to wait at the bar while the restaurant got our table ready. While there, we started talking to a man sitting next to us. As it turns out, he owns an auto body business in the Philadelphia area. Eventually, our new friend asked us what we were doing in Miami so we told him that we helped to run a firm focused on website security and, from our perspective, that’s when the conversation got really interesting.

“That’s For Big Websites, Right?”

Our new friend knew about the data breaches at the big retailers like Target and then went on to tell us, “But I’m not worried, because I have a really simple website and just ask people to fill out a form so we can contact them later.”

Tony and I were floored when he told us that… but should we have been? When you live every day in the security space, it can be easy to forget that the rest of the world doesn’t live there with you.

We’ll always use this blog to break security news and to educate the community about the latest malware removal techniques we’re pioneering, but the more we learned about our new friend’s business, the more apparent it became that we have an obligation to translate the language of website security so that website owners everywhere understand its importance. In that spirit, here’s our first primer in a once-in-a-while series for the everyday blogger, website enthusiast and small business owner on why security is important for their site.

Read More

Is My Website Hacked? If You Have to Ask, Then, “Yes.”

The problem with phishing, and therefore the reason so many people have trouble with it, is that the code is fairly benign and can be very difficult to spot. This is because it usually looks almost exactly like legitimate code. Oftentimes, a website owner won’t know their site is hacked with a phishing scam until visitors inform them, which is why finding phishing pages can feel like searching for a needle in a haystack.

That’s what makes the following story so instructive.

Many thanks to our own Ben Martin for walking us through the scam (and for cleaning the client’s website).

The Problem

Recently, we cleared malware from a client’s website and our malware removal expert, Ben, found some interesting phishing pages.

Where Was the Injection Located?

It’s in the hacker’s best interest to hide their phishing pages and they’re often able to do so because the code is so benign. They don’t need to run malicious scripts or inject iframes. In this case, the page doesn’t contain any suspicious functions nor calls to Russian domains. It just consists of text input fields like normal code you’d see on any website. The key then is to know what you’re looking for, and to do that you have to think like a hacker.

What Are Phishing Scams Attempting?

This is where it becomes important to remember what a phishing scam is normally attempting to do. In many cases, they’re looking for bank records like credit card or debit card numbers, so we kept it simple and searched for “bank” and look what we found:


See it? The title_netbank.jpg looked suspicious and, interestingly enough, all it took was that one reference in index.htm to the JPG file to lead us to the phishing pages. We didn’t stop there though. We also dug a little deeper and found an .htaccess file in the directory.


What you’re seeing here are IP addresses that are allowed to view the phishing page. In this case, only those with Danish IP addresses are being redirected to view the page. In this way, the hackers are able to to narrow the scope of their attacks to those who are most likely to enter their bank numbers, while not showing a suspicious page to extra people who may alert the bank or our client to the scam.

Here’s what this specific page looked like. It was being used to redirect customers to something that looked like a Nordea Bank AB user page (Nordea Bank is a financial group operating in Northern Europe). Even if you’ve never heard of Nordea, potential customers based in Northern Europe would have heard of the bank and would have been put at risk.


What Did We Learn?

The hack we cleaned here isn’t extravagant. It wasn’t obfuscated behind layers and layers of code. In fact, it was relatively simple, which is instructive. Malicious code can affect your website even when its relatively easy to spot. The lesson as always is, if you have a feeling that your site has been compromised, then it probably has been.

Take Back Your Internet – Demand a Safer Web

Take back the internet
Over the last couple of weeks, we’ve written about malicious redirects pushing users to porn sites, ever more complicated phishing scams being carried out by multiple compromised websites on a single server and about adsense blackmail. We’ve written about how attackers hit these sites because that’s what we do. We figure out what they’re doing and clean it up or prevent it from happening.

However, today we want to explain how you’re affected by everyday website hacks (not just the big ones). Sure, there is always a website owner who is being harmed by targeted code injection or malware, but it’s not going to affect you, right? Except that it does. Most of the hacks we clean up are harming hundreds or thousands of website visitors just like you.

Read More

Sucuri CloudProxy – Website Firewall Enhancements

When LA’s DA says that, “73% of our local businesses appear to have been hacked,” it begins to illustrate the importance website protection will play in the future of business, which is why we’ve placed so much emphasis on website protection on this blog over the last few months.

Protection is no longer a, “nice to have,” and has crossed into the realm of necessity. Website owners know about website hacks and DDoS attacks and malware injections, but they often don’t know how to stop them from happening and until a hack hurts their own business, it’s very easy to believe that these hacks will happen to other people and other businesses. That’s why we’ve written so much about our Website Firewall – CloudProxy lately. Truly, we want to help keep your website safe.

In that spirit, we challenged ourselves to make our firewall more intuitive to use so that any website owner will be able to take control of their own security protocols. We’re proud to announce that our team has made some great strides, in terms of user experience, lately and, in this post, we’ll highlight a few of the enhancements we’ve put in place.

CloudProxy – Website Firewall Redefined

The Website Firewall was designed to give website owners peace of mind with a simple objective in mind; to keep your website safe by stopping the attacks from happening.

The logic behind the firewall is simple. It filters through all incoming website traffic and intelligently identifies good and bad traffic. All good traffic is allowed to hit your website and all bad traffic is blocked, which protects your website. In the end, the process looks a lot like this.

How the Sucuri Firewall Protects Websites

Latest Enhancements

The last major update to CloudProxy occurred in February, and back then, our update focused on a few key structural points:

  1. CDN Support (i.e., MaxCDN, CloudFlare, etc..)
  2. Reporting (i.e., Visualization)
  3. Point of Presence Expansion (i.e., More servers world wide)
  4. Back-end Rewrite (i.e., Code Refactoring)

In this update, we’ve focused more on the user experience, while still making some functional updates. Over the rest of the post, we’ll go over:

  1. Real-Time Monitoring
  2. An Improved Onboarding Process
  3. Country Blocks
  4. Enhanced Denial of Service (DOS) Protection

Read More

Does Sucuri Work With My Host? Yes, Yes We Do.

We’ve been scanning and removing malware from websites for years and in this time frame we have seen the website security domain grow by leaps and bounds. Over the same period, the ubiquity of the internet has reached to all corners of the globe, and the number of websites worldwide has skyrocketed (estimated at 955 million and growing). Where do all of those sites live? We decided it would be interesting (and instructive) to look inward at the demographic of hosts within our own construct.

Hosting Companies Sucuri Works With

The good news is that it doesn’t matter what host you choose to work with. It’s likely that we already work with whomever you’re likely to choose, though from time to time we do work with hosts that we didn’t even know about. It’s important to note that some hosts, like managed hosts, don’t actually have their own infrastructure. They resell or sit on top of existing hosts. As such, this investigation doesn’t include those without their own infrastructure.

This investigation illustrates that sites on every hosting service get attacked – in pretty pie-graphical form. Regardless of your hosting company, you should always be thinking about how to protect the investment you’ve made in your website. Here is the host distribution within our environment*:


*The distribution of our clients among the hosts does not mean that any one host gets infected more or less than any other, and is reflective of many different factors.

Read More

Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware

As your website’s webmaster have you ever seen an e-mail from Google like this?:


We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will also be disapproved.

Here’s what you can do to fix your site and hopefully get your ad running again:

1. Make the necessary changes to your site that currently violates our policies:
Display URL: site.com
Policy issue: Malware
Details & instructions:

2. Resubmit your site to us, following the instructions in the link above….

If so, you know the potential downside risk this poses for your website. In their own words, Google says:

In some cases, you may be unaware that you have malware on your site. But to protect the safety and security of our users, we stop all ads pointing to sites where we find malware.

In essence, Google and Bing care about their searchers more than your business so, to protect their customers, they’ll shut your website out of Adwords and Bing Ads and will offer your site less frequently in organic searches.

Often overlooked in the search business is the role of the actual search engine in the ad placement process. These are businesses that specialize in creating algorithms to show relevant search results, assigning quality scores to your landing pages and placing your actual ads. A lot goes into the process, but in all cases, the key for the search engine is to show relevant search results (including ads) that keep people using their search engine. It is in this spirit that search engines like Google and Bing reserve the right to refuse your ads. This is especially true if they have any reason to believe that your site may be infected with malware–including viruses, worms, spyware, and Trojan Horses–or is being used in phishing schemes.

From the search engine’s perspective, this makes perfect sense. Searches are their lifeblood and there are other search engines a person could use to find websites. By showing your ads or returning your site organically in a search, they are tacitly telling the searcher, “We found these sites to be relevant to you.” If they start sending you to sites that are potentially harmful, then a searcher could, potentially, switch search engines.

However, knowing why search engines work as they do doesn’t make it easier to be a webmaster when a site is hacked. Luckily, our clean up and malware removal tools as well as our de-blacklisting service are just a click away.

Or, better yet, keep yourself from ever getting an email like the one above from Bing or Google. Instead, protect your site, and business, from potential problems stemming from malware, blacklisting or phishing and look into protecting your site with a website application firewall like our CloudProxy WAF .

Many Pieces of a Puzzle: Target, Neiman Marcus and Website Hacking

Website Malware

Corporations get hacked all the time. This is not news to anyone in the security business, but it has certainly received a lot of attention from those in the media over the last few weeks because of a couple of large-scale credit card events at both Target and Neiman Marcus.

Read More

Security Issue on vBulletin uploader.swf

The vBulletin team recently disclosed a XSS (cross site scripting) vulnerability in the uploader.swf file that is included by default on vBulletin 4 and 5. This file comes from the YUI library that is not supported anymore, so the vBulletin team is recommending everyone remove that file asap from their installs.

This is their full note:

Read More

Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1

If you are using OpenX or the new Revive Adserver (fork of OpenX), you need to update it ASAP. Florian Sander discovered a serious SQL injection vulnerability that affects all versions of OpenX and all versions of the Revive Adserver. From the Revive advisory:

An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander.

The vulnerability is known to be already exploited to gain unauthorized access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.

The XML-RPC delivery invocation script was failing to escape its input parameters in the same way the other delivery methods do, allowing attackers to inject arbitrary SQL code via the “what” parameter of the delivery XML-RPC methods. Also, the escaping technique used to handle such parameter in the delivery scripts was based on the addslashes PHP function and has now been upgraded to use the dedicated escaping functions for the database in use.

We highly recommend anyone using OpenX to upgrade to the latest Revive version, or as a temporary fix, remove the file “www/delivery/axmlrpc.php” from your installation.

Clients using our CloudProxy Website Firewall are already protected against it. If you want to protect your OpenX / Revive install, you can sign up for CloudProxy here.