Attacks/Breaches

10/9/2017
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

SiteLock: Website Attacks Surged 186% in Q2

Websites mostly belonging to small- to midsized firms got hit with more than 60 attacks per day on average, new analysis finds.

Websites belonging to small- to midsized (SMB) businesses experienced an astonishing 63 attacks per day in the second quarter of this year, a study by SiteLock showed.

That number, which extrapolates to some 23,000 attacks annually, represented an increase of 186% over the 22 attacks per day that websites averaged during the same period last year. Automated bots were responsible for more than 85% of these attacks.

Despite the steep increase in attacks, many websites were inadequately protected and site owners instead relied heavily on search engines and third parties, such as Web hosting providers, to alert them about potential security issues and breaches. Four in 10 site owners continued to erroneously believe their hosting provider was responsible for website security, SiteLock found.

SiteLock's report is based on an analysis of data from more than 6 million websites and from a survey of over 20,000 website owners.

"Many website owners are unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised," says Logan Kipp, Wordpress evangelist at SiteLock. That sort of alerting typically only happens after a breach has occurred - when it is too late, he says. "Bottom line; website owners need to take proactive secure measures."

The tendency by website owners to rely on search engines and browser-makers to warn about security issues had another downside as well. Browsers correctly flagged only 23% of infected websites in SiteLock's study as being dangerous for visitors. The remaining 77% of infected websites provided no warning to users at all because search engine and browser makers tend to be overly cautious about marking sites as being potentially unsafe, SiteLock said.

For purposes of the study, SiteLock described a website attack as any activity prohibited by administrator-configured security preferences or prohibited by SiteLock's global security rules. Some common examples of activities that were considered a website attack included SQL injection and cross-site scripting attacks, cross-site request forgery (CSRF), and local and remote file inclusion and other common attacks such as those outlined by the Open Web Application Security Project (OWASP).

As has been the case for several years now, many website compromises in Q2 resulted from common, well-known Web application vulnerabilities. SQL injection (SQLi) and cross site scripting (XSS) errors once again topped the list of most commonly occurring Web application vulnerabilities.

Over 300,000 of the six million-plus websites that SiteLock considered for the survey had either a high-risk SQL injection bug or a high-risk XSS issue. On average, a website with an SQLi vulnerability had 20 vulnerable URLs each across their site, while those with XSS flaws averaged 74 vulnerable URLs site-wide. The survey's results suggest that there may be as many as 90 million websites worldwide that have similar issues.

The numbers are especially significant because they pertain only to high-risk SQLi and XSS flaws of the sort that can be detected quickly, SiteLock said.

CMS Mess

SiteLock's analysis also showed that a website's content management system had an impact on overall security. Websites running Joomla, for instance, tended to be more than twice as vulnerable to attacks compared to websites running WordPress or Drupal. Nearly one in five of the sites running Joomla had a version that stopped receiving security updates as many as five years ago.

"One of the reasons that Joomla websites demonstrated an elevated risk profile in our analysis was the low adoption rate for updates we observed in the sample," Kipp says. "The largest single version subgroup for Joomla was those running v1.5, which has not been supported since September of 2012, and demonstrated an infection rate of 6.31%," he says.

Interestingly, even when a CMS had the latest security updates, it often ended up being vulnerable because of buggy plug-ins. This was especially true in the case of WordPress, which supports the ability to integrate a wide variety of third-party plugins, SiteLock said in its report. Some 44% of those plugins had not been updated for over a year at the time that SiteLock was doing its report. Not surprisingly, nearly 7 in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

The SiteLock analysis also showed that websites infected with spam generally tend to have a lot more infected files compared to other websites. In Q2 2017, spam-infested websites averaged some 1, 967 malware infested files: 62% of which consisted of spam; 23%, backdoors; and 8%, malicious redirects.

"Spam infections are notorious for dumping a lot of files into websites," Kipp says. Only eight percent of the total infected website sites in the SiteLock study contained spam. Even so, spam accounted for 62% of all the infected files that SiteLock discovered.

"This means that spam infections are characteristically much more disruptive in terms of their scope of impact with regard to file structure," he says. "For example, your average infected website may only have a handful of files directly impacted by malware, but spam infections may create hundreds or thousands of files and directories, making them a very one of the noisier infection types."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12716
PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...