Our Malware Research and Incident Response teams work diligently around the clock to identify and stay ahead of the website security threat landscape—and we’re dedicated to sharing our knowledge and publishing our findings.
In the spirit of security education, we’ve curated a selection of our most popular posts and discoveries from June to help you protect your website.
Why your website’s SEO makes it a target for attackers
Sucuri eats, sleeps and breathes website security. We deal with thousands of hacked sites every day, and one of the most common attack scenarios we see are spam infections.
When a website is infected with spam for a long enough period, search authorities like Google or Bing commonly blacklist them from their search results or display warnings that the site may be hacked. This can have a significant impact on a website’s traffic – and ability to generate revenue from organic traffic.
Even small sites make attractive targets for bad actors.
Website owners who think their small site makes them less of a target may be surprised to find out that factors like website size doesn’t contribute to the likelihood of a website being targeted for malicious spam campaigns. In this post, we explain why.
So, what does a spam infection look like?
Spam content can come in a variety of shapes and sizes, but typically includes spam links to legitimate pages or doorways that redirect web searchers to spam sites.
From a visitor’s perspective, spam keywords often appear in search results and web pages. Discount fashion, pharmaceutical, and gambling are among the most common types of SEO spam. It’s not uncommon for spammers create tens of thousands of pages on your site in order to rank for their keywords.
Why would attackers target my small site?
When a bad actor injects malicious spam on a website, they usually link back to a website to promote their clients’ content.
After a website is created, it starts to accrue domain authority and pagerank. New websites start to become relevant to search engines after a few months of creation, which is around the time that they become attractive to attackers.
Another common reason for an attacker to target your site is to increase your spam score, which indirectly promotes another website. They may also leverage your website to redirect web searchers with doorway links.
How do I avoid spam infections?
We’ve got a few simple recommendations for you to mitigate the risk of a website spam infection:
- Keep your CMS and software up-to-date.
- Remove unused third-party components (like plugins and themes).
- Choose strong passwords and change them regularly.
- Use a password manager.
Why do hackers hack?
When a website gets hacked, a natural question that often comes up for website owners is, “Why was my site targeted?”
It may feel deeply personal for a website owner — but in the majority of cases, these attacks are actually opportunistic and based purely on automation.
Automation is key in today’s website attacks.
In fact, bad actors aren’t always so fussy about what kind of business you’re running, who your customers are, or how much traffic you’re getting. Instead, their motivations are centered around a few main areas: resources or financial gain.
When an attacker targets a website for it’s resources, they’re looking to leverage assets like your server, pagerank and domain authority — or simply add your site to a large-scale malware campaign. The actual target might even be another website on your host or shared server.
Some examples of exploits that fall under the resource category include SEO spam, pharma spam, and defacements.
Bad actors frequently seek out vulnerable websites for valuable data such as credit card information, contact information, and login credentials like usernames and passwords.
Examples of how this data is used include selling the information for a profit on the darknet, generating advertising revenue, or maintaining access to websites to collect personal information.
Sometimes, an attacker will hack a website just to prove that they can. Or, they might build their reputation and campaigns by obtaining valuable information from compromised websites.
Website reinfections from FTP passwords
Logs are extremely valuable for website owners. While reviewing a website’s logs may seem like a daunting task for some users, they keep an important record of what actions have been performed on a website, and by whom.
Typical log entries consist of the following values:
current-time transfer-time remote-host file-size filename transfer-type special-action-flag direction access-mode username service-name authentication-method authenticated-user-id completion-status
This information can be used to identify important details – for example, what username transferred which file through FTP, and at what specific time.
Using FTP logs to determine attack vectors
In a recent investigation, we had access to the logs and were able to perform forensics on a website seeing frequent reinfections.
What we discovered was while the website was initially compromised on February 7th and cleaned up shortly afterwards, the FTP passwords were not reset. The following week, the website was compromised again and new malware was uploaded.
By using the website logs, we were able to identify which usernames were associated with the initial and subsequent compromises and malicious file uploads.
If your website has been compromised, we strongly encourage site administrators to reduce the risk of a website reinfection by practicing good password hygiene.