04:55 PM
Connect Directly

SiteLock: Website Attacks Surged 186% in Q2

Websites mostly belonging to small- to midsized firms got hit with more than 60 attacks per day on average, new analysis finds.

Websites belonging to small- to midsized (SMB) businesses experienced an astonishing 63 attacks per day in the second quarter of this year, a study by SiteLock showed.

That number, which extrapolates to some 23,000 attacks annually, represented an increase of 186% over the 22 attacks per day that websites averaged during the same period last year. Automated bots were responsible for more than 85% of these attacks.

Despite the steep increase in attacks, many websites were inadequately protected and site owners instead relied heavily on search engines and third parties, such as Web hosting providers, to alert them about potential security issues and breaches. Four in 10 site owners continued to erroneously believe their hosting provider was responsible for website security, SiteLock found.

SiteLock's report is based on an analysis of data from more than 6 million websites and from a survey of over 20,000 website owners.

"Many website owners are unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised," says Logan Kipp, Wordpress evangelist at SiteLock. That sort of alerting typically only happens after a breach has occurred - when it is too late, he says. "Bottom line; website owners need to take proactive secure measures."

The tendency by website owners to rely on search engines and browser-makers to warn about security issues had another downside as well. Browsers correctly flagged only 23% of infected websites in SiteLock's study as being dangerous for visitors. The remaining 77% of infected websites provided no warning to users at all because search engine and browser makers tend to be overly cautious about marking sites as being potentially unsafe, SiteLock said.

For purposes of the study, SiteLock described a website attack as any activity prohibited by administrator-configured security preferences or prohibited by SiteLock's global security rules. Some common examples of activities that were considered a website attack included SQL injection and cross-site scripting attacks, cross-site request forgery (CSRF), and local and remote file inclusion and other common attacks such as those outlined by the Open Web Application Security Project (OWASP).

As has been the case for several years now, many website compromises in Q2 resulted from common, well-known Web application vulnerabilities. SQL injection (SQLi) and cross site scripting (XSS) errors once again topped the list of most commonly occurring Web application vulnerabilities.

Over 300,000 of the six million-plus websites that SiteLock considered for the survey had either a high-risk SQL injection bug or a high-risk XSS issue. On average, a website with an SQLi vulnerability had 20 vulnerable URLs each across their site, while those with XSS flaws averaged 74 vulnerable URLs site-wide. The survey's results suggest that there may be as many as 90 million websites worldwide that have similar issues.

The numbers are especially significant because they pertain only to high-risk SQLi and XSS flaws of the sort that can be detected quickly, SiteLock said.

CMS Mess

SiteLock's analysis also showed that a website's content management system had an impact on overall security. Websites running Joomla, for instance, tended to be more than twice as vulnerable to attacks compared to websites running WordPress or Drupal. Nearly one in five of the sites running Joomla had a version that stopped receiving security updates as many as five years ago.

"One of the reasons that Joomla websites demonstrated an elevated risk profile in our analysis was the low adoption rate for updates we observed in the sample," Kipp says. "The largest single version subgroup for Joomla was those running v1.5, which has not been supported since September of 2012, and demonstrated an infection rate of 6.31%," he says.

Interestingly, even when a CMS had the latest security updates, it often ended up being vulnerable because of buggy plug-ins. This was especially true in the case of WordPress, which supports the ability to integrate a wide variety of third-party plugins, SiteLock said in its report. Some 44% of those plugins had not been updated for over a year at the time that SiteLock was doing its report. Not surprisingly, nearly 7 in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

The SiteLock analysis also showed that websites infected with spam generally tend to have a lot more infected files compared to other websites. In Q2 2017, spam-infested websites averaged some 1, 967 malware infested files: 62% of which consisted of spam; 23%, backdoors; and 8%, malicious redirects.

"Spam infections are notorious for dumping a lot of files into websites," Kipp says. Only eight percent of the total infected website sites in the SiteLock study contained spam. Even so, spam accounted for 62% of all the infected files that SiteLock discovered.

"This means that spam infections are characteristically much more disruptive in terms of their scope of impact with regard to file structure," he says. "For example, your average infected website may only have a handful of files directly impacted by malware, but spam infections may create hundreds or thousands of files and directories, making them a very one of the noisier infection types."

Related Content:


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.