Attacks/Breaches

10/9/2017
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

SiteLock: Website Attacks Surged 186% in Q2

Websites mostly belonging to small- to midsized firms got hit with more than 60 attacks per day on average, new analysis finds.

Websites belonging to small- to midsized (SMB) businesses experienced an astonishing 63 attacks per day in the second quarter of this year, a study by SiteLock showed.

That number, which extrapolates to some 23,000 attacks annually, represented an increase of 186% over the 22 attacks per day that websites averaged during the same period last year. Automated bots were responsible for more than 85% of these attacks.

Despite the steep increase in attacks, many websites were inadequately protected and site owners instead relied heavily on search engines and third parties, such as Web hosting providers, to alert them about potential security issues and breaches. Four in 10 site owners continued to erroneously believe their hosting provider was responsible for website security, SiteLock found.

SiteLock's report is based on an analysis of data from more than 6 million websites and from a survey of over 20,000 website owners.

"Many website owners are unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised," says Logan Kipp, Wordpress evangelist at SiteLock. That sort of alerting typically only happens after a breach has occurred - when it is too late, he says. "Bottom line; website owners need to take proactive secure measures."

The tendency by website owners to rely on search engines and browser-makers to warn about security issues had another downside as well. Browsers correctly flagged only 23% of infected websites in SiteLock's study as being dangerous for visitors. The remaining 77% of infected websites provided no warning to users at all because search engine and browser makers tend to be overly cautious about marking sites as being potentially unsafe, SiteLock said.

For purposes of the study, SiteLock described a website attack as any activity prohibited by administrator-configured security preferences or prohibited by SiteLock's global security rules. Some common examples of activities that were considered a website attack included SQL injection and cross-site scripting attacks, cross-site request forgery (CSRF), and local and remote file inclusion and other common attacks such as those outlined by the Open Web Application Security Project (OWASP).

As has been the case for several years now, many website compromises in Q2 resulted from common, well-known Web application vulnerabilities. SQL injection (SQLi) and cross site scripting (XSS) errors once again topped the list of most commonly occurring Web application vulnerabilities.

Over 300,000 of the six million-plus websites that SiteLock considered for the survey had either a high-risk SQL injection bug or a high-risk XSS issue. On average, a website with an SQLi vulnerability had 20 vulnerable URLs each across their site, while those with XSS flaws averaged 74 vulnerable URLs site-wide. The survey's results suggest that there may be as many as 90 million websites worldwide that have similar issues.

The numbers are especially significant because they pertain only to high-risk SQLi and XSS flaws of the sort that can be detected quickly, SiteLock said.

CMS Mess

SiteLock's analysis also showed that a website's content management system had an impact on overall security. Websites running Joomla, for instance, tended to be more than twice as vulnerable to attacks compared to websites running WordPress or Drupal. Nearly one in five of the sites running Joomla had a version that stopped receiving security updates as many as five years ago.

"One of the reasons that Joomla websites demonstrated an elevated risk profile in our analysis was the low adoption rate for updates we observed in the sample," Kipp says. "The largest single version subgroup for Joomla was those running v1.5, which has not been supported since September of 2012, and demonstrated an infection rate of 6.31%," he says.

Interestingly, even when a CMS had the latest security updates, it often ended up being vulnerable because of buggy plug-ins. This was especially true in the case of WordPress, which supports the ability to integrate a wide variety of third-party plugins, SiteLock said in its report. Some 44% of those plugins had not been updated for over a year at the time that SiteLock was doing its report. Not surprisingly, nearly 7 in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

The SiteLock analysis also showed that websites infected with spam generally tend to have a lot more infected files compared to other websites. In Q2 2017, spam-infested websites averaged some 1, 967 malware infested files: 62% of which consisted of spam; 23%, backdoors; and 8%, malicious redirects.

"Spam infections are notorious for dumping a lot of files into websites," Kipp says. Only eight percent of the total infected website sites in the SiteLock study contained spam. Even so, spam accounted for 62% of all the infected files that SiteLock discovered.

"This means that spam infections are characteristically much more disruptive in terms of their scope of impact with regard to file structure," he says. "For example, your average infected website may only have a handful of files directly impacted by malware, but spam infections may create hundreds or thousands of files and directories, making them a very one of the noisier infection types."

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.