Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM
Connect Directly

Website Attacks Become Quieter & More Persistent

Threat actors have pivoted from noisy attacks to intrusions where stealth and ROI are primary goals, new report says.

Threat actors are pivoting away from noisy website attacks to campaigns that are quieter and designed to remain undetected for as long as possible.

From website defacements and SEO spam, attackers are increasingly targeting websites to install backdoors and other stealthy malware, according to a new study by SiteLock.

The security vendor analyzed some 7 million websites worldwide and discovered that adversaries have sharply ramped up attacks on websites over the past year. The company found that typical websites experience about one attack every 15 minutes, or 94 attacks per day on average.  Each website was visited by as many as 2,608 automated bots per week on average. Attacks on websites jumped 52% over the previous year, according to SiteLock.

Sixty-five percent of websites that were infected with malware contained a backdoor, 48% contained filehacker malware, and 22% contained a malicious eval function for executing malware. Other common indicators of malicious activity on websites included the presence of shell scripts in 22% of sites and functions for injecting malicious code in 21% of the sites.

In contrast, SiteLock discovered evidence of noisier attacks, such as cryptomining software, on less than 1% of the sites it analyzed, SEO spam on 5% of them, and signs of defacement on 6% of the sites in the study.

"The main takeaway from our '2020 Annual Security Review' is hackers are becoming increasingly sophisticated and are turning to methods that can go undetected and deliver the biggest payout," says Neill Feather, chief innovation officer and co-founder at SiteLock. For organizations, the trend highlights the need for regular website updates, strong passwords, and multifactor authentication as well as the need to uninstall unused plug-ins, he says.

SiteLock found that sites using WordPress were three times more likely to have malware on them than all other sites. Eighteen percent of WordPress sites were found to contain at least one vulnerability; the most common among them are SQL injection flaws, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Plug-in Perils
The number of WordPress plug-ins that a site used had a direct impact on its security posture. Sites that used 6–10 plug-ins had a three times higher risk of getting compromised than sites that did not use a WordPress plug-in. Sites with 20 or more plug-ins were seven times more likely to get compromised.

"The more plug-ins or extensions a website has, the more potential entry points for hackers," Feather says. This is especially true when plug-ins are out of date and have new vulnerabilities discovered in them. "Each old plug-in on a website increases the chances of [it] being hacked," he says. "For every five plug-ins you add to your site, you nearly double the risk of getting compromised."

Extrapolating from the data from its survey, SiteLock estimated that about one out of 100 websites (12.8 million sites) worldwide is infected with at least one malware sample. SiteLock discovered that sites it deemed as being high risk were 24 times more likely to have malware than low-risk sites.

According to Feather, SiteLock classifies websites as being low, medium, or high risk based on three main factors. The first is website complexity, such as the size of the website and whether it uses a database to store customer data. The second factor is website popularity, which includes site traffic and social media presence. The third factor is site composition, such as the software used to create a website. "The best way for website owners to protect their sites is to regularly run a Web vulnerability scanner and ensure that security is kept up to date, ideally through automated patching," Feather says.

A newly released Risk Based Security report on data breaches during the first quarter of 2020 showed that Web-related breaches represented only a relatively small proportion of the overall number of data breaches in that period. Even so, Web breaches accounted for a substantially higher number of records compromised compared with hacking-related breaches and other intrusions.

Approximately 90% of the staggering 8.4 billion records that were exposed in the first quarter resulted from Web breaches. Records exposed included everything from email address and passwords to financial data, bank account data, health information, and Social Security numbers.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...