Analyzing a Facebook Clickbait Worm

danger_ahead-1

Here at Sucuri we suspect everything, especially when your friends start to share content written in another language with clickbait headlines. Malicious Facebook posts are one way that hackers can use social engineering to attract and attack victims.

If you are not familiar with the term, clickbait is when web content is created in a way that psychologically exploits the reader’s curiosity using compelling headlines. When someone clicks on the article to read it, the service promoting the article generates online advertisement revenue.

You may know several websites that rely on strategies like this, with BuzzFeed being the typical example. You have already read headlines like: You won’t believe what this guy did after doing that other thing! Or 27 things that people with some personality do! Most of these sites just want your click (and the revenue that they generate), however, some of them turn to the dark side in order to get their message out.
Read More

Websites Hacked Via Website Backups

Whole-Net

The past few months we’ve been spending a good deal of time talking about backups. This is for good reason, they are often your safety net when things go wrong; interestingly enough though, they are often the forgotten pillar of security. It’s why we spent some time thinking through what a good backup strategy might look like. As in most things however, we have to give real-world examples to help illustrate not only the value of backups, but also the potential threats they pose.

In our strategy discussion, you might recall our emphasis on the location of your backups. As described, the act of having a backup is great, but having it on the same server, worse yet, in the same web directory, can be devastating.

An example of this is in the database backups. The database backup does not just contain your posts, pages and comments; it holds something so much more valuable – think usernames and passwords.

Websites Hacked Via Website Backups

How ironic to think that the thing that is designed to be your safety net, can also be used against you. Such is the tale with Website Backups, when employed incorrectly. We want to focus specifically one type of backup, those of your database.

Most website owners believe that your information on the website server itself is safe from prying eyes, and in most instances that’s true, but in many instances it’s not.

You might be thinking, “But my database backups are not linked anywhere on my website.”

Search engines though, are still able to index a web directory via a process known as Directory Indexing. Directory indexing occurs when a normal base file is missing (i.e., index.html / home.html/default.htm/default.aspx, etc..). If one of these files are not present, the web server will issue a directory listing, which in turn causes them to be indexed via search engines. Those directories might have a treasure throve of content that isn’t meant for public consumption; information you might not want indexed.

There are a number of things that Directory Listing can lead to, they include some of the following:

  • Backup Files
  • Temporary Files
  • Hidden Files
  • Naming Conventions
  • Enumerate User Accounts
  • Configuration File Contents
  • Script Contents

A good example can be seen using a carefully crafted Google search.  We were able to find the following database backups being indexed by Google:

Databases in Google Search Results

Databases in Google Search Results

If a user were to download these files, they’d be able to find information like user information, hashed passwords and a number of emails in plain text (great for spamming and new phishing lures):

Sensitive user information is readable from the file

Sensitive user information is readable from the file

Cracking Hashed Database Passwords

The first anticipated argument is the fact that the passwords are hashed. That’s true, they are.

However, the art of password cracking has evolved greatly over the years. What makes it more convenient for the attacker is that they do not have to expend much energy attacking a website directly, they are able to download the files locally and perform a series of Brute Force techniques to reveal the password.  All that is needed is the right brute-force software; yes, there are a wide range of tools freely available that the attacker configure and deploy daily.

The worst part is, you won’t even know you’ve been,, or are under attack; until it’s too late.

The discussion of password cracking is not new, it’s been going around for years. Joseph Bonneau wrote back in 2013:

Password cracking can be evaluated on two nearly independent axes: power (the ability to check a large number of guesses quickly and cheaply using optimized software, GPUs, FPGAs, and so on) and efficiency (the ability to generate large lists of candidate passwords accurately ranked by real-world likelihood using sophisticated models). It’s relatively simple to measure cracking power in units of hashes evaluated per second or hashes per second per unit cost.

To put this into context, Jeremi Gosney, Founder & CEO, Stricture Consulting Group (an organization that cracks passwords for a living), was able to crack 14,734 of 16,449 MD5-hashed passwords in 20 hours, using a common computer with a single AMD Radeon 7970 graphics card.

That’s over 90% of the passwords on the list. The experiment was conducted by Ars Technica in response to a previous test conducted by one of their reporters, Nate Anderson, who was able to decipher close to half of the same 16,000 cryptographically hashed passwords that Jeremi worked on. All done with no experience in the art of password cracking.

Granted, this example is specific against an MD5 hash.

Most cryptographers out there will laugh that it’s employed, and as such the passwords deserve to be revealed. No arguments there! It’s also why some of the more modern CMS applications, including WordPress and Joomla!, leverage some salt+md5 hashing configuration. Unfortunately, that’s of little comfort as the technology has evolved and tools like HashCat have hit the market making the cracking of those passwords that much easier to crack.

Hardening Server Directories

The emphasis on the art of cracking is important to help drive the point home on the importance of your backups. They contain information that is critical to your website, and most likely your online brand and business.

It’s why we place so much emphasis on a good policy for passwords, and always recommend randomly generating them, retaining a good length (greater than 20) and the use of a password manager. All this is moot however if the attackers can get access to the hashes themselves (via your database backup).

If you must store the backups on the same server/account as your website we recommend placing them outside the public web directory. Please, also make sure they are not accessible from the outside.

You can also add additional rules to the .htaccess file inside the backup directory to further harden it:

# Block Directory Listing 
Options -Indexes

This will only work if your web server is configured to allowed server overrides. If on a shared host, be sure to ask your host for guidance.This configuration is only for those on Apache web servers.

If you’re using NGINX, another very popular web server, the directory listing option is disabled by default.

Windows IIS however, is similar to Apache, in that it’s set to enabled by default, so to disable directory listing you’ll want open the command line on your web server and use the following:

appcmd set config /section:directoryBrowse /enabled:false

Don’t Underestimate the Value of Your Backups

Backups are a critical piece of your overall security posture, be sure to have them. Having a backup however is just the first step, you must have a good approach to creating them and more importantly storing them.

There is no greater example than the impacts if your database backups were to get into the wrong hands. Database backups contain secret / sensitive information about your users; things like their email addresses, and passwords to name a few (varies on what you collect), and wide range of other data. In the wrong hands, this information can be used to wipe out your website, worse yet, attack your users. We’ve illustrated the processes employed by today’s attackers to crack passwords in an effort to demonstrate its impacts. When a hacker gains access to your information, there is no telling what will happen next.

Make sure that you keep your website backups in a secure location. If you don’t have such a configuration and you’re a client, we highly recommend looking into the Sucuri backup service.

 

10 Tips to Improve Your Website Security

Ten-Tips-for-Improving-Website-Security

In recent years there has been a proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal and so many other allow business owners to quickly and efficiently build their online presences. Their highly extensible architectures, rich plugin, module, extension ecosystem have made it easier than ever to get a website up and running without years of learning required.

This is undoubtedly a great thing; however, an unfortunate side effect is that now there are many webmasters who do not understand how to make sure their website is secure, or even understand the importance of securing their website. In this post I want to share with you the top 10 steps all webmasters, website owners, can, and should, take to keep their website secure.
Read More

Your Website Hacked but No Signs of Infection

How-Websites-Get-Hacked
Imagine for a moment, you have a suspicion that you have somehow had your website hacked. You see that something is off, but you feel as if you are missing something. This is the emotionally draining world that many live in, with a paranoia and concern that grips you once you see and recognize that something is not right. As humans we need closure, we need the ability to say… “Gotcha!” Often though, especially when it comes to hacks, we are left only with our imagination and that can be concerning for many.

In one of the many groups I participate in, I was reading an experience that spoke to this exact feeling. A user had noticed that a new administrator user had been added to their website, but barring a simple image file, they were unable to identify anything else out of place. To further complicate issues, the various security tools they were using kept reporting nothing was amiss. As a website owner, that’s perhaps the most frustrating feeling, when you can feel it in your bones something is wrong. Why aren’t the tools picking it up?
Read More

Introducing Free Global Website Performance Tool

Website Performance Test
We are happy to launch a new free tool (aka Global Website Performance Tester) that allows anyone to quickly check how fast a website is loading from across the globe.

We extract three key metrics that are critical to the performance of any website: connection time, time to first byte (TTFB) and total load time:

  • Connection time: It measures how long it takes for the TCP session to be established to your website. If you are a networking geek, it measures how long it takes for the 3-way handshake to be completed.
  • Time To First Byte (TTFB): This is one of the most important numbers to pay attention to, as it tells you how long it takes for the first byte to be received by the browser. This metric is important because as soon as the browser receives the first few bytes, it can start to load the page and display content to the end user.
  • Total Load Time: This shows how long it takes for the full page to be loaded.

To give us the visibility we need for these tests, we setup 13 globally distributed testing stations:

  • 4 in USA (New York, Atlanta, Dallas and Los Angeles)
  • 1 in Canada (Montreal)
  • 4 in Europe (Germany, UK, France and Netherlands)
  • 2 in Asia (Japan and Singapore)
  • 1 in South America (Brazil)
  • 1 in Australia

And we run all our tests from all of them. To get started, you can test your websites performance here: https://performance.sucuri.net
Read More

Website Security: How Do Websites Get Hacked?

How-Websites-Get-Hacked

In 2014 the total number of websites on the internet reached 1 billion, today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment. Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, of the millions of websites that push through our scanning technology, we often see 2 – 5% of the them have some Indicator of Compromise (IoC) that signifies a hack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected.

With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge however, is that the answer has been the same for quite some time.
Read More

How Social Media Blacklisting Happens

Social Media Blacklists

In today’s world, we are all browsing websites online and sharing content on a multitude of social media platforms every day. Worldwide social media users exceeded 2 billion back in August 2014, with an adoption rate unlike anything we have seen in history. Social media continues to grow around the world, with active user accounts now equating to roughly 29% of the world’s population. Monthly active user (MAU) figures for the most active social network in each country add up to almost 2.08 billion – a 12% increase since January 2014.

What is Social Media Blacklisting?

Legitimate links on social media platforms are sometimes hijacked by criminals to direct visitors to a website where malware will be automatically downloaded. The more that people share and use social media, the more often these situations will occur. This is why social media platforms have specific security measures to protect their users from being victims of malicious shared content.

In the same way that websites can be blacklisted by Google for having malware hosted on their pages, social media blacklisting occurs when security triggers detect malicious activity, thus placing the infected links on their internal blacklist. Sometimes they can match the URL with the help of an external blacklist authority, such as McAfee, Google, Web of Trust, or Websense.
Read More

How To Create a Website Backup Strategy

wire-rope-59675_640

We’ve all heard it million times before – backups are important. Still, the reality is that even today, a website backup strategy remains one of the most overlooked and under-utilized precautions we can take to protect our vital data.

Why Are Backups So Important

Put simply, a good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files, or if your web server has a catastrophic hard drive failure, all the damage can be easily undone by restoring from your backups. The idea is simple. In order to make sure our data is safe, you make a copy of it. If something happens to the original copy you can always use your backup copy.

Simple right? Unfortunately it isn’t that simple at all and there are a number of factors that determine whether your backups will be useful, practical and secure.

Read More

Why Website Reinfections Happen

why-does-your-website-keep-getting-reinfected

I joined Sucuri a little over a month ago. My job is actually the Social Media Specialist, but we have this process where regardless of your job you have to learn what website infections look like and more importantly, how to clean them. It’s this idea that no matter who you are, you must know the foundation that makes this company work. After a month of this training, I made some very interesting observations through my interactions with some of our clients and felt some might find it interesting, especially why website reinfections occur. This might be new to some, and not so new to others, but for me it was fascinating and worth a share.

I will note that I was like many of you a month ago, I operated my own website, and still do, and came to know of Sucuri because my own website had been hacked. Such is the circle of life that I now work at this fascinating place. Here are some of my observations from my last month here and I hope they help someone.

Read More

The Impacts of a Hacked Website

Today, with the proliferation of open-source technologies like WordPress, Joomla and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a lot is being lost in terms of what it means to own a website.

We are failing each other, we are not setting ourselves up for success. We are learning the hard way what large organizations already learned – being online is a responsibility and will eventually cost you something.

I recently shared a post talking to the motivations behind hacks. This post was important as it helped provide context and I encourage you to spend some time digesting the information. What it fails to do is what I want to focus on in this post.

What are the impacts of these hacks to your website? To your business?
Read More