How Domain Expiration Can Potentially Disrupt Other Websites

A website owner recently reached out to us about a pop-up advertisement problem on their website which occurred any time someone clicked anywhere on the web page.
This irritating pop-up didn’t come from malware placed in the website’s files or database, but rather from a single JavaScript source that the owner added to a widget:

At one point, this external JavaScript file had been used for affiliate tracking purposes, but the domain had expired earlier this year and registered by a new owner.
Continue reading How Domain Expiration Can Potentially Disrupt Other Websites at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/how-domain-expiration-can-potentially-disrupt-other-websites.html

The Largest DDoS Attacks & What You Can Learn From Them

A DDoS (Distributed Denial of Service) is an attack that focuses on making the website unavailable to its legitimate users. DDoS attacks can produce service interruptions, introduce large response delays, and cause various business losses.
Denial-of-Service Attacks result in two ways —they either flood services or crash services. Attackers execute DDoS through computers and smart devices. Given this, it’s common for attackers to make use of IoT devices that are internet-accessible.  IoT devices refers to any electronic that can connect to the internet and transmit data, such as toys, smart TVs, and monitors of any kind.
Continue reading The Largest DDoS Attacks & What You Can Learn From Them at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/largest-ddos-attack.html

Sucuri Can Help Secure Your Client Websites

At Sucuri, we understand that most web professionals and web agencies ultimately need to make their clients part of the decision-making process for choosing to secure their sites.
Overall, website security sounds like a good thing, but how do you position the value of Sucuri’s website security to clients who don’t know (or even care to know) the specifics behind what website security would offer them?
Why is Website Security Important?
Many clients will ask why they should care about website security.
Continue reading Sucuri Can Help Secure Your Client Websites at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/sucuri-can-help-secure-your-client-websites.html

What Hackers Do After Gaining Access to a Website

A hack or cyber attack is the act of maliciously entering, taking control over, or manipulating by force a web application, server, or file that belongs to someone else.
Cyber attacks will:

modify files,
retrieve information,
insert commands or scripts,
change the way your website and Google Search Results look to visitors.

What Do Hackers Do?
Here is a brief descriptions on the most common cyber attacks we see performed by hackers.
Continue reading What Hackers Do After Gaining Access to a Website at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/what-hackers-do-after-gaining-access-to-a-website.html

How to Create a Website Maintenance Plan & Contract

In my years of experience working alongside agencies, I’ve realized that managed providers and other web pros who offer website maintenance to their clients, have a hard time convincing them on the value of managed services.
It’s a common mindset. Much like the homeowner who is unwilling to invest in a rock solid insurance policy or an uninsured car owner who gets insurance after a reckless driver rams into the back of it.
Continue reading How to Create a Website Maintenance Plan & Contract at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/create-website-maintenance-plan.html

Trolldesh Ransomware Dropper

Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors.
The malware often uses a PHP file that acts as a delivery tool for downloading the host malware dropper:
hxxp://doolaekhun[.]com/cgi-bin/[redacted].php
This type of infected URL is usually spread through malicious emails or through services like social media.
Malicious “JSC Airline” JScript File
Once a victim clicks the URL and loads it, a JScript file downloads to the victim’s computer.
Continue reading Trolldesh Ransomware Dropper at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/trolldesh-ransomware-dropper.html

Magento Skimmers: From Atob to Alibaba

Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this:
It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively.
The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report.
Continue reading Magento Skimmers: From Atob to Alibaba at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/magento-skimmers-from-atob-to-alibaba.html

Autoloaded Server-Side Swiper

Front-end JavaScript-based credit card stealing malware has garnered a lot of attention within the security community. This makes sense, since the “swipers” can be easily detected by simply scanning the web pages of e-commerce sites.
However, this isn’t the only way to steal payment details and sensitive user information from compromised sites. Server-side swipers are almost as prevalent as client-side ones, and our remediation team removes both types of credit card stealers from compromised websites on a daily basis.
Continue reading Autoloaded Server-Side Swiper at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/autoloaded-server-side-swiper.html

Malicious Plugin Used to Encrypt WordPress Posts

During a recent cleanup, we found an interesting malicious WordPress plugin, “WP Security”, that was being used to encrypt blog post content. The website owner complained of a newly installed and activated plugin on their website that was rendering their original content unreadable.
The plugin encrypted posts with the ‘AES-256-CBC’ method by using the openssl_encrypt function, which made it impossible to decrypt without proper keys. This is the first time we’ve seen a plugin target specific blog posts on a website, but it’s possible that we’ll see this more often in the coming months.
Continue reading Malicious Plugin Used to Encrypt WordPress Posts at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/malicious-plugin-used-to-encrypt-wordpress-posts.html

Neapolitan Backdoor Injection

Most of us are familiar with Neapolitan ice cream: a flavour whose distinguishing characteristic is not one single flavour but several. Many also know it as the ice cream which your roommate eats all of the chocolate, leaving you with the paltry remains of the notably less popular vanilla and strawberry flavours. While cleaning a WordPress website of malware I recently came across an injection which I think can best be described as Neapolitan.
When attackers compromise a website in almost all cases one of the first things they typically do is plant one or more backdoors on the website.
Continue reading Neapolitan Backdoor Injection at Sucuri Blog.

Link: https://blog.sucuri.net/2019/08/neapolitan-backdoor-injection.html