Call Us Today at 1-403-291-9811 or 1-866-291-3857

Web Security

  • Wikipedia Page Review Reveals Minr Malware 19 February 2018 Wikipedia Page Review Reveals Minr Malware

    Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag).

    This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clod[.]pw.

    Continue reading Wikipedia Page Review Reveals Minr Malware at Sucuri Blog.

  • Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins 12 February 2018 Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

    On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads.

    Plugin Location

    The malicious plugins possess a very similar file structure:

    Injectbody

    wp-content/plugins/injectbody/

    • injectbody.php: 2146 bytes (the plugin code)
    • inject.txt: 2006 bytes (injected JavaScript)

    Injectscr

    wp-content/plugins/injectscr/

    • injectscr.php: 1319 bytes (the plugin code)
    • inject.txt: 3906 bytes (injected JavaScript)

    The functionality of these plugins are also very similar.

    Continue reading Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins at Sucuri Blog.

  • Sucuri Website Backups Product Update 7 February 2018 Sucuri Website Backups Product Update

    We’re excited to be sharing some changes we’ve recently pushed for our Website Backups product.

    If you’re not familiar with this feature, Sucuri Website Backups allow you to completely backup your files and database in our secure infrastructure. In a worst-case scenario, where files or databases are overwritten or deleted, these backups make it easy to restore your website to its previous condition. By backing up your website, you ensure that you’re covered in the event of a critical failure.

    Continue reading Sucuri Website Backups Product Update at Sucuri Blog.

  • How to Add Security to Your Client’s Websites 5 February 2018 How to Add Security to Your Client’s Websites

    Website security has crossed the mind of nearly every website owner. However, as a website security company, we know that most webmasters come to us after the fact, when their website has already been compromised. Once hackers have taken over, website owners regret not having protected it when the website was initially launched.

    Today, we want to address specifically website service providers. This article aims at explaining to developers, SEO firms, hosts, and web agency owners why offering website security to clients can be very important.

    Continue reading How to Add Security to Your Client’s Websites at Sucuri Blog.

  • What is a WAF? 29 January 2018 What is a WAF?

    Have you ever wondered what WAF means?

    WAF stands for Website Application Firewall. In order to make it simple to understand, imagine your website as a house and the people outside on the streets are the traffic that wants to come to your website.  Of course, you want to open your door to friends and family, but you also want to protect your house from the bad guys.

    Continue reading What is a WAF? at Sucuri Blog.

  • Cloudflare[.]solutions Keylogger Returns on New Domains 24 January 2018 Cloudflare[.]solutions Keylogger Returns on New Domains

    A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains.

    Keylogger Spreads to New Domains

    A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down.

    Continue reading Cloudflare[.]solutions Keylogger Returns on New Domains at Sucuri Blog.

  • SQLi Vulnerability in YITH WooCommerce Wishlist 16 January 2018 SQLi Vulnerability in YITH WooCommerce Wishlist

    As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store and is currently installed on 500,000+ websites.

    Are You at Risk?

    This vulnerability is caused by the lack of sanitization of user-provided data in versions below 2.2.0.

    Continue reading SQLi Vulnerability in YITH WooCommerce Wishlist at Sucuri Blog.

  • Malicious Website Cryptominers from GitHub. Part 2. 3 January 2018 Malicious Website Cryptominers from GitHub. Part 2.

    Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code.

    Encrypted CoinHive Miner in Header.php

    The following encrypted malware was found in the header.php file of the active WordPress theme:

    There are four lines of code in total. Each, when decoded, plays a different role.

    CoinHive Injections

    When decoded, the last two lines inject typical CoinHive cryptocurrency miners:

    The miner is only shown conditionally, so bots are excluded and only human visitors will receive it.

    Continue reading Malicious Website Cryptominers from GitHub. Part 2. at Sucuri Blog.

  • Reverse Javascript Injection Redirects to Support Scam on WordPress 21 December 2017 Reverse Javascript Injection Redirects to Support Scam on WordPress

    Over the last few weeks, we’ve noticed a JavaScript injection in a number of WordPress databases, and we recently wrote about them in a Sucuri Labs Note.

    The campaign attempts to redirect visitors to a bogus Windows support page claiming that their computers are infected with ‘riskware’ and will be disabled unless they call what is an obviously bogus support hotline.

    Google and several other web security vendors are currently blacklisting the domain; fortunately, most visitors will receive a warning page like this during the redirection process:

     

    Tech Support Phone Scam

    It’s worth noting that the phone number displayed on the page is auto-generated based on the URL that is supplied.

    Continue reading Reverse Javascript Injection Redirects to Support Scam on WordPress at Sucuri Blog.

  • How to Create Secure Passwords For Your Website 20 December 2017 How to Create Secure Passwords For Your Website

    Have you ever signed up for a new account, but once it came time to create a password, your spirits dropped a little? It’s hard enough to remember one password, let alone multiple ones. Panic sets in as the security suggestions prompt you to add more numbers and unique characters. How am I going to remember this? Why does this even matter if I’m the only one who accesses this account?

    We’ve previously written about the elements of a secure password, and the topic is still important today.

    Continue reading How to Create Secure Passwords For Your Website at Sucuri Blog.

  • Javascript Injection Creates Rogue WordPress Admin User 14 December 2017 Javascript Injection Creates Rogue WordPress Admin User

    Earlier this year, we faced a growing volume of infections related to a vulnerability in outdated versions of the Newspaper and Newsmag themes. The infection type was always the same: malicious JavaScript designed to display unauthorized pop-ups or completely redirect visitors to spammy websites, which the hackers then monetized through advertisement views.

    This month we noticed a very interesting variant of this infection. While still related to the same vulnerability on the same outdated versions of Newspaper and Newsmag themes, the malware has been designed to both inject malvertising and take over a WordPress website completely.

    Continue reading Javascript Injection Creates Rogue WordPress Admin User at Sucuri Blog.