Top website security posts by Sucuri – November 2019

Products mentioned
A monthly round-up of website security topics.

At Sucuri, our Malware Research and Incident Response teams are always on the hunt for new malware. To help make the internet a safer place, we regularly share our knowledge and findings.

Please take a moment to learn from our most popular posts published in November and strengthen your own website security.

 


Why reinfections happen with a WAF

A web application firewall is a great way to detect and filter malicious requests to your website environment — but websites can still be hacked from the inside.

Cross-site contamination

One infected site on a shared server can spread an infection to other sites within the shared environment. In fact, a single unprotected site can lead to an extremely large infection across multiple websites.

It takes only one unprotected website to cause a massive hack.

 

A pitfall here is implementing a WAF for the primary website, but failing to apply the same measure for “less important” websites in subdirectories (e.g ~/public_html/otherdomain.tld).

One infected website can bypass the WAF, as HTTP/S isn’t required for access to the primary website’s files and database once malware has infected the user’s directory/subdirectories. A WAF isn’t designed to mitigate malware that already exists in the file system.

However, you can put each website under its own cPanel account to prevent cross-site contamination.

Weak Passwords and Dictionary Attacks

Brute force / dictionary attacks occur when attackers target non-HTTP/S services like FTP or SSH to compromise weak passwords.

A brute force attack can take only a few minutes before an attacker gains unauthorized access to accounts.

Malicious users also target services like FTP, as they’re independent of the HTTP/S service, instead targeting the server’s hostname or IP address rather than a website address behind the WAF.

Sample dictionary/brute force attack
A Sample of a dictionary attack targeting the root user on the SSH service taken from /var/log/secure log file.

How to prevent website reinfections

Audit services used by your web server to harden security. Tweak minor settings like the default SSH port and change it to something other than 22. You could even disable the FTP service altogether.

You might need root access, but any hosting plan should let you audit existing FTP and SSH users — remove any that are not needed.

Read more from the original post by Luke Leal.

 


How to recognize a phishing campaign

Check our blog and you’ll find plenty of posts tagged with “phishing.”  We’ve acquired a great deal of experience with this shady practice — our first publicly documented phishing blog post was over 9 years ago.

What is phishing?

Phishing is a fraudulent attempt to trick victims into revealing sensitive personal information or credentials. Phishing lures are often disguised as a trustworthy entity or recognizable brand, and can come as either targeted or untargeted acts.

Signs of a phishing attack

New methods of phishing continually pop up — but once you know what to look for, they get easier to spot.

Genuine-looking but odd requests

Messages that appear to be from a real financial institution, coworker, or website can get you to lower your guard. Don’t.

Phishing attempts are often from spoofed email or phone numbers that appear to be genuine, such as security_bankname@gmail.com or important@bankk.com. Always double-check the domain to ensure that it’s genuine.

Fast action required

A sense of urgency might bully you into a quick decision, where you’re more likely to follow shady instructions like opening a scammy link or attachment.

If you’re feeling rushed to perform an action, take a moment to check your sources before following any links or opening attachments.

Unusual or odd-looking requests

Sometimes, phishing attempts come in the form of highly-targeted campaigns. For example, if an attacker pretends to be your coworker or boss, they might use a different writing style that includes typos, different tones or writing styles, or unusual signature elements.

When something looks a bit odd, double-check with your contact to verify that they sent the message — preferably using a secure communication channel.

No signs of phishing detected

If an attacker hacks or spoofs your boss’ email, they might send correct data to mislead you. It’s always best to verify the requests for sensitive information are genuine, preferably by using a different communication channel.

Phishing attempts can come in all shapes and sizes — and many targeted attacks are extremely advanced.

 

Read more from the original post by Antony Garand.

 


Ecommerce security threats for the holidays

Online transactions are fast eclipsing traditional in-store purchases, and Black Friday and Cyber Monday are morphing into a shopping frenzy. The number of online holiday sales for the 2018 was a record ~$7.9 billion, a nearly 20% increase over the last year.

Emerging ecommerce threats

As we roll into the 2019 holiday season, retailers and consumers should stay informed of emerging threats and trending ecommerce malware.

BOPIS fraud

Buy online, pick up in store (BOPIS) lets customers buy online and pick up purchases at brick-and-mortar location. These transactions are classified as card-not-present, leaving retailers liable.

CNP vs CP liability

There’s a critical difference between card-present and card-not-present transactions, and that’s key to determining who is liable for fraudulent charges.

Because retailers who offer BOPIS are liable for fraudulent transactions, strong authentication processes are essential.

 

A practice called shimming allows EMV payment cards to be used in card-not-present transactions. When scammers steal information from cards with EMV chips, they can use stolen data in scams involving card-not-present transactions.

E-skimming

E-skimming uses malicious code during for certain scenarios, such as only on a checkout page. The code captures and relays stolen data to the hacker as customers enter it in real time.

How e-skimming works

E-skimmers often use a domain name that appears to be legitimate, making them difficult to detect. Cloaking techniques are also favored by hackers; an example of this could be not loading an e-skimmer if developer tools are detected open in the browser

We’ve been following e-skimmers targeting Magento websites for years, but in 2019 the most common malware for ecommerce theft were variants of this Javascript e-skimmer.

Malicious Javascript credit Card Stealer
This e-skimmer can obfuscate itself by loading from fake, legitimate-looking domain names.

It’s become such a serious threat that the FBI and US-CERT released a warning for the 2019 holiday season.

Phishing

Phishing takes many shapes and forms, but the most commonly used are email, SMS, and apps like Facebook or Instagram.

A closer inspection at phishing emails

Spam and phishing filters are now much better at calling out shady emails, but they don’t always move them to the junk folder.

Attackers often count on victims skimming email content, becoming alarmed by the subject matter, and taking the desired action without paying close attention to the source of thinking through the fraudulent request.

What happens to stolen information?

Stolen information is often resold to other fraudsters through various forums, Discord channels, or darknet marketplaces.

Stolen Credit Card Information
Stolen credit card information for sale.

How to spot check phishing emails

To spot check phishing emails, go to the legitimate website instead clicking any HTML buttons or links in the email — attackers often conceal phishing URLs behind redirects. Campaigns might even abuse legitimate services that allow redirects.

Other methods of phishing include vishing (phishing via phone). KrebsOnSecurity did a great job breaking down the topic, which you can check out here.

Read more from the original post by Luke Leal.