Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:50 PM
Connect Directly

Website Attacks Become Quieter & More Persistent

Threat actors have pivoted from noisy attacks to intrusions where stealth and ROI are primary goals, new report says.

Threat actors are pivoting away from noisy website attacks to campaigns that are quieter and designed to remain undetected for as long as possible.

From website defacements and SEO spam, attackers are increasingly targeting websites to install backdoors and other stealthy malware, according to a new study by SiteLock.

The security vendor analyzed some 7 million websites worldwide and discovered that adversaries have sharply ramped up attacks on websites over the past year. The company found that typical websites experience about one attack every 15 minutes, or 94 attacks per day on average.  Each website was visited by as many as 2,608 automated bots per week on average. Attacks on websites jumped 52% over the previous year, according to SiteLock.

Sixty-five percent of websites that were infected with malware contained a backdoor, 48% contained filehacker malware, and 22% contained a malicious eval function for executing malware. Other common indicators of malicious activity on websites included the presence of shell scripts in 22% of sites and functions for injecting malicious code in 21% of the sites.

In contrast, SiteLock discovered evidence of noisier attacks, such as cryptomining software, on less than 1% of the sites it analyzed, SEO spam on 5% of them, and signs of defacement on 6% of the sites in the study.

"The main takeaway from our '2020 Annual Security Review' is hackers are becoming increasingly sophisticated and are turning to methods that can go undetected and deliver the biggest payout," says Neill Feather, chief innovation officer and co-founder at SiteLock. For organizations, the trend highlights the need for regular website updates, strong passwords, and multifactor authentication as well as the need to uninstall unused plug-ins, he says.

SiteLock found that sites using WordPress were three times more likely to have malware on them than all other sites. Eighteen percent of WordPress sites were found to contain at least one vulnerability; the most common among them are SQL injection flaws, cross-site scripting (XSS), and cross-site request forgery (CSRF).

Plug-in Perils
The number of WordPress plug-ins that a site used had a direct impact on its security posture. Sites that used 6–10 plug-ins had a three times higher risk of getting compromised than sites that did not use a WordPress plug-in. Sites with 20 or more plug-ins were seven times more likely to get compromised.

"The more plug-ins or extensions a website has, the more potential entry points for hackers," Feather says. This is especially true when plug-ins are out of date and have new vulnerabilities discovered in them. "Each old plug-in on a website increases the chances of [it] being hacked," he says. "For every five plug-ins you add to your site, you nearly double the risk of getting compromised."

Extrapolating from the data from its survey, SiteLock estimated that about one out of 100 websites (12.8 million sites) worldwide is infected with at least one malware sample. SiteLock discovered that sites it deemed as being high risk were 24 times more likely to have malware than low-risk sites.

According to Feather, SiteLock classifies websites as being low, medium, or high risk based on three main factors. The first is website complexity, such as the size of the website and whether it uses a database to store customer data. The second factor is website popularity, which includes site traffic and social media presence. The third factor is site composition, such as the software used to create a website. "The best way for website owners to protect their sites is to regularly run a Web vulnerability scanner and ensure that security is kept up to date, ideally through automated patching," Feather says.

A newly released Risk Based Security report on data breaches during the first quarter of 2020 showed that Web-related breaches represented only a relatively small proportion of the overall number of data breaches in that period. Even so, Web breaches accounted for a substantially higher number of records compromised compared with hacking-related breaches and other intrusions.

Approximately 90% of the staggering 8.4 billion records that were exposed in the first quarter resulted from Web breaches. Records exposed included everything from email address and passwords to financial data, bank account data, health information, and Social Security numbers.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...