Top website security posts by Sucuri – April 2019

A monthly roundup of website security posts.

Our Malware Research and Incident Response teams work around the clock to identify emerging threats — and we’re proud to share our knowledge and findings with the community.

We’ve gathered a few of our most popular posts from April to educate you about the latest trends and tips in website security.

What is geolocation?

Let’s look at how we can find a person’s physical location by examining their IP address. This jumble of dots and numbers can yield the following information:

  • Country
  • Region state or province
  • Latitude and longitude
  • Time zone
  • City
  • Postal code
  • Issuing Authority, which may differ from location of the IP

What do people use geolocation for?

It’s commonly used for marketing and advertising, but services like Netflix also use geolocation to enforce their policies. That’s why some people opt to use a VPN service, which replaces a person’s IP with a proxy — nulling attempts at geolocation.

Geolocation and IP addresses

Today, there are billions of IP addresses, and that makes it tough to keep track of their owners. An IP address owned by a U.S. company could transfer to a Chinese entity overnight. There are services that test the accuracy of IP addresses, but they aren’t considered to be a bulletproof solution.

GeoBlocking and GeoFencing

GeoBlocking prevents a specific region from being able to access a website. Geofencing permits or restricts connections, like Netflix does to prevent some content from being viewed outside the U.S.

IPv6 vs IPv4

IPv6 is replacing IPv4 due to a dearth of available addresses on the old standard. IPv6 uses a 128-bit address, rather than the older 32 bits, to increase the amount of available addresses.

Read more from the original post by Dutch Hill

Web Skimmer with a Domain Name Generator

We recently noticed a credit card skimmer that used a fairly typical approach — except for one unique detail. It used a common method by loading code from qr201346[.]pw, and then sending stolen data to hxxps://gooogletagmanager[.]online/get.php.

However, instead of a predefined domain, the skimmer generates domain names based on the current date.

Malicious Domains Generated for 2020

We uncovered the skimmer’s algorithm, and then used it to generate domains we expect this malware will be using for the rest of 2020.

  • March qr201010[.]pw
  • April qr201346[.]pw
  • May qr202284[.]pw
  • June qr202960[.]pw
  • July qr202754[.]pw
  • August qr201854[.]pw
  • September qr201089[.]pw
  • October qr201161[.]pw
  • November  qr202004[.]pw
  • December qr202844[.]pw

All of these domains were registered on the same date within one minute by a user with the email All domains point to the same server in Russia.

Domain Generating Algorithms in Website Malware

The strategy of generating random domains to deliver malware isn’t new. Rather, it’s a common practice to stay ahead of search engine blocklists. The new element we’re seeing is the use of dynamic algorithms in web skimmers.


Industry reports note a 26% increase in malware that steals credit card data. It’s become even more profitable with more people doing their shopping from home. Measures like integrity control, monitoring and a website firewall go a long way in thwarting these attacks.

Read more from the original post by Denis Sinegubko

Analyzing & Decrypting L4NC34’s Simple Ransomware

We often hear about computers impacted by ransomware, but rarely do we see websites affected by it. This is especially significant when the website is the main source of revenue for it’s owner.

When we think about ransomware, we usually associate it with very complex methods for encrypting the target site and huge demands for money. Well, this one is different.

L4NC34 Ransomware: The $10 Request

We recently uncovered a case where the ransom note wasn’t an HTML or .txt file, but inside a PHP file. Stranger still was the surprisingly cheap ransom — a mere $10. We dug into the code, and found the infection was pretty easy to reverse.

Investigating Bitcoin Wallet Transactions

Why would anyone pay a ransom when the infection was so easy to clean? We had the attacker’s bitcoin wallet address, so we took a look to see how many victims were paying up. Turns out, nobody had. We hope that means everyone was able to clean the infection without paying the ransom.


While this was a relatively benign example, ransomware in the U.S. alone accounted for $7.5 billion in total expenses last year. This financial incentive will likely cause security companies to pivot toward addressing this very lucrative type of attack.

Read more from the original post by Cesar Anjos

Image by:

Art Martori
Art Martori thinks words are like chess pieces. While checkers might be more appropriate for the analogy, he’s aided by years of professional writing experience via mediums including content strategy, journalism and fiction. When he’s not typing on a keyboard, find Art strumming the 12-bar blues.