Top website security posts by Sucuri – November 2019
At Sucuri, our Malware Research and Incident Response teams are always on the hunt for new malware. To help make the internet a safer place, we regularly share our knowledge and findings.
Please take a moment to learn from our most popular posts published in November and strengthen your own website security.
Why reinfections happen with a WAF
A web application firewall is a great way to detect and filter malicious requests to your website environment — but websites can still be hacked from the inside.
One infected site on a shared server can spread an infection to other sites within the shared environment. In fact, a single unprotected site can lead to an extremely large infection across multiple websites.
A pitfall here is implementing a WAF for the primary website, but failing to apply the same measure for “less important” websites in subdirectories (e.g ~/public_html/otherdomain.tld).
However, you can put each website under its own cPanel account to prevent cross-site contamination.
Weak Passwords and Dictionary Attacks
Brute force / dictionary attacks occur when attackers target non-HTTP/S services like FTP or SSH to compromise weak passwords.
A brute force attack can take only a few minutes before an attacker gains unauthorized access to accounts.
Malicious users also target services like FTP, as they’re independent of the HTTP/S service, instead targeting the server’s hostname or IP address rather than a website address behind the WAF.
How to prevent website reinfections
Audit services used by your web server to harden security. Tweak minor settings like the default SSH port and change it to something other than 22. You could even disable the FTP service altogether.
You might need root access, but any hosting plan should let you audit existing FTP and SSH users — remove any that are not needed.
Read more from the original post by Luke Leal.
How to recognize a phishing campaign
Check our blog and you’ll find plenty of posts tagged with “phishing.” We’ve acquired a great deal of experience with this shady practice — our first publicly documented phishing blog post was over 9 years ago.
What is phishing?
Phishing is a fraudulent attempt to trick victims into revealing sensitive personal information or credentials. Phishing lures are often disguised as a trustworthy entity or recognizable brand, and can come as either targeted or untargeted acts.
Signs of a phishing attack
New methods of phishing continually pop up — but once you know what to look for, they get easier to spot.
Genuine-looking but odd requests
Messages that appear to be from a real financial institution, coworker, or website can get you to lower your guard. Don’t.
Phishing attempts are often from spoofed email or phone numbers that appear to be genuine, such as email@example.com or firstname.lastname@example.org. Always double-check the domain to ensure that it’s genuine.
Fast action required
A sense of urgency might bully you into a quick decision, where you’re more likely to follow shady instructions like opening a scammy link or attachment.
If you’re feeling rushed to perform an action, take a moment to check your sources before following any links or opening attachments.
Unusual or odd-looking requests
Sometimes, phishing attempts come in the form of highly-targeted campaigns. For example, if an attacker pretends to be your coworker or boss, they might use a different writing style that includes typos, different tones or writing styles, or unusual signature elements.
When something looks a bit odd, double-check with your contact to verify that they sent the message — preferably using a secure communication channel.
No signs of phishing detected
If an attacker hacks or spoofs your boss’ email, they might send correct data to mislead you. It’s always best to verify the requests for sensitive information are genuine, preferably by using a different communication channel.
Read more from the original post by Antony Garand.
Ecommerce security threats for the holidays
Online transactions are fast eclipsing traditional in-store purchases, and Black Friday and Cyber Monday are morphing into a shopping frenzy. The number of online holiday sales for the 2018 was a record ~$7.9 billion, a nearly 20% increase over the last year.
Emerging ecommerce threats
As we roll into the 2019 holiday season, retailers and consumers should stay informed of emerging threats and trending ecommerce malware.
Buy online, pick up in store (BOPIS) lets customers buy online and pick up purchases at brick-and-mortar location. These transactions are classified as card-not-present, leaving retailers liable.
CNP vs CP liability
There’s a critical difference between card-present and card-not-present transactions, and that’s key to determining who is liable for fraudulent charges.
A practice called shimming allows EMV payment cards to be used in card-not-present transactions. When scammers steal information from cards with EMV chips, they can use stolen data in scams involving card-not-present transactions.
E-skimming uses malicious code during for certain scenarios, such as only on a checkout page. The code captures and relays stolen data to the hacker as customers enter it in real time.
How e-skimming works
E-skimmers often use a domain name that appears to be legitimate, making them difficult to detect. Cloaking techniques are also favored by hackers; an example of this could be not loading an e-skimmer if developer tools are detected open in the browser
It’s become such a serious threat that the FBI and US-CERT released a warning for the 2019 holiday season.
Phishing takes many shapes and forms, but the most commonly used are email, SMS, and apps like Facebook or Instagram.
A closer inspection at phishing emails
Spam and phishing filters are now much better at calling out shady emails, but they don’t always move them to the junk folder.
Attackers often count on victims skimming email content, becoming alarmed by the subject matter, and taking the desired action without paying close attention to the source of thinking through the fraudulent request.
What happens to stolen information?
Stolen information is often resold to other fraudsters through various forums, Discord channels, or darknet marketplaces.
How to spot check phishing emails
To spot check phishing emails, go to the legitimate website instead clicking any HTML buttons or links in the email — attackers often conceal phishing URLs behind redirects. Campaigns might even abuse legitimate services that allow redirects.
Other methods of phishing include vishing (phishing via phone). KrebsOnSecurity did a great job breaking down the topic, which you can check out here.
The GoDaddy product information in this article is outdated and currently under review for accuracy. For the latest up-to-date product information please visit godaddy.com