- Wikipedia Page Review Reveals Minr Malware 19 February 2018
Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag).
This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clod[.]pw.
- Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins 12 February 2018
On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads.
The malicious plugins possess a very similar file structure:
- injectbody.php: 2146 bytes (the plugin code)
- injectscr.php: 1319 bytes (the plugin code)
The functionality of these plugins are also very similar.
- Sucuri Website Backups Product Update 7 February 2018
We’re excited to be sharing some changes we’ve recently pushed for our Website Backups product.
If you’re not familiar with this feature, Sucuri Website Backups allow you to completely backup your files and database in our secure infrastructure. In a worst-case scenario, where files or databases are overwritten or deleted, these backups make it easy to restore your website to its previous condition. By backing up your website, you ensure that you’re covered in the event of a critical failure.
- How to Add Security to Your Client’s Websites 5 February 2018
Website security has crossed the mind of nearly every website owner. However, as a website security company, we know that most webmasters come to us after the fact, when their website has already been compromised. Once hackers have taken over, website owners regret not having protected it when the website was initially launched.
Today, we want to address specifically website service providers. This article aims at explaining to developers, SEO firms, hosts, and web agency owners why offering website security to clients can be very important.
- What is a WAF? 29 January 2018
Have you ever wondered what WAF means?
WAF stands for Website Application Firewall. In order to make it simple to understand, imagine your website as a house and the people outside on the streets are the traffic that wants to come to your website. Of course, you want to open your door to friends and family, but you also want to protect your house from the bad guys.
- Cloudflare[.]solutions Keylogger Returns on New Domains 24 January 2018
A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains.
Keylogger Spreads to New Domains
A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down.
- SQLi Vulnerability in YITH WooCommerce Wishlist 16 January 2018
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store and is currently installed on 500,000+ websites.
Are You at Risk?
This vulnerability is caused by the lack of sanitization of user-provided data in versions below 2.2.0.
- Malicious Website Cryptominers from GitHub. Part 2. 3 January 2018
Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code.
Encrypted CoinHive Miner in Header.php
The following encrypted malware was found in the header.php file of the active WordPress theme:
There are four lines of code in total. Each, when decoded, plays a different role.
When decoded, the last two lines inject typical CoinHive cryptocurrency miners:
The miner is only shown conditionally, so bots are excluded and only human visitors will receive it.
The campaign attempts to redirect visitors to a bogus Windows support page claiming that their computers are infected with ‘riskware’ and will be disabled unless they call what is an obviously bogus support hotline.
Google and several other web security vendors are currently blacklisting the domain; fortunately, most visitors will receive a warning page like this during the redirection process:
Tech Support Phone Scam
It’s worth noting that the phone number displayed on the page is auto-generated based on the URL that is supplied.
- How to Create Secure Passwords For Your Website 20 December 2017
Have you ever signed up for a new account, but once it came time to create a password, your spirits dropped a little? It’s hard enough to remember one password, let alone multiple ones. Panic sets in as the security suggestions prompt you to add more numbers and unique characters. How am I going to remember this? Why does this even matter if I’m the only one who accesses this account?
We’ve previously written about the elements of a secure password, and the topic is still important today.
This month we noticed a very interesting variant of this infection. While still related to the same vulnerability on the same outdated versions of Newspaper and Newsmag themes, the malware has been designed to both inject malvertising and take over a WordPress website completely.