Threat actors are pivoting away from noisy website attacks to campaigns that are quieter and designed to remain undetected for as long as possible.
From website defacements and SEO spam, attackers are increasingly targeting websites to install backdoors and other stealthy malware, according to a new study by SiteLock.
The security vendor analyzed some 7 million websites worldwide and discovered that adversaries have sharply ramped up attacks on websites over the past year. The company found that typical websites experience about one attack every 15 minutes, or 94 attacks per day on average. Each website was visited by as many as 2,608 automated bots per week on average. Attacks on websites jumped 52% over the previous year, according to SiteLock.
Sixty-five percent of websites that were infected with malware contained a backdoor, 48% contained filehacker malware, and 22% contained a malicious eval function for executing malware. Other common indicators of malicious activity on websites included the presence of shell scripts in 22% of sites and functions for injecting malicious code in 21% of the sites.
In contrast, SiteLock discovered evidence of noisier attacks, such as cryptomining software, on less than 1% of the sites it analyzed, SEO spam on 5% of them, and signs of defacement on 6% of the sites in the study.
"The main takeaway from our '2020 Annual Security Review' is hackers are becoming increasingly sophisticated and are turning to methods that can go undetected and deliver the biggest payout," says Neill Feather, chief innovation officer and co-founder at SiteLock. For organizations, the trend highlights the need for regular website updates, strong passwords, and multifactor authentication as well as the need to uninstall unused plug-ins, he says.
SiteLock found that sites using WordPress were three times more likely to have malware on them than all other sites. Eighteen percent of WordPress sites were found to contain at least one vulnerability; the most common among them are SQL injection flaws, cross-site scripting (XSS), and cross-site request forgery (CSRF).
The number of WordPress plug-ins that a site used had a direct impact on its security posture. Sites that used 6–10 plug-ins had a three times higher risk of getting compromised than sites that did not use a WordPress plug-in. Sites with 20 or more plug-ins were seven times more likely to get compromised.
"The more plug-ins or extensions a website has, the more potential entry points for hackers," Feather says. This is especially true when plug-ins are out of date and have new vulnerabilities discovered in them. "Each old plug-in on a website increases the chances of [it] being hacked," he says. "For every five plug-ins you add to your site, you nearly double the risk of getting compromised."
Extrapolating from the data from its survey, SiteLock estimated that about one out of 100 websites (12.8 million sites) worldwide is infected with at least one malware sample. SiteLock discovered that sites it deemed as being high risk were 24 times more likely to have malware than low-risk sites.
According to Feather, SiteLock classifies websites as being low, medium, or high risk based on three main factors. The first is website complexity, such as the size of the website and whether it uses a database to store customer data. The second factor is website popularity, which includes site traffic and social media presence. The third factor is site composition, such as the software used to create a website. "The best way for website owners to protect their sites is to regularly run a Web vulnerability scanner and ensure that security is kept up to date, ideally through automated patching," Feather says.
A newly released Risk Based Security report on data breaches during the first quarter of 2020 showed that Web-related breaches represented only a relatively small proportion of the overall number of data breaches in that period. Even so, Web breaches accounted for a substantially higher number of records compromised compared with hacking-related breaches and other intrusions.
Approximately 90% of the staggering 8.4 billion records that were exposed in the first quarter resulted from Web breaches. Records exposed included everything from email address and passwords to financial data, bank account data, health information, and Social Security numbers.