Introduction As for the definition in CMS (Content Management System), a plugin is a collection of code files that adds one or more features to your website. After you install the core code for your CMS, you can install your choice of plugins. Depending on the nature and the design of your site, you can choose from thousands of plugins available on the internet. Our incident response team encountered one peculiar issue where the website got blacklisted for distributing adware to its visitors.
Read more →
Ads has been spreading all over the internet starting from any social networking sites to almost everything. Some ads are plain and straightforward, and some are horrific and disturbing. Like this one that we got just last week. When we checked a link, it showed these images below: And it will take you to the Play Store to download an app. If you are still unaware, along with the helpful and useful apps the Google Play Store is infested with a lot of malicious apps.
Background One of the most recognizable errors encountered on the Internet is the “404 Not Found” page. The website hosting server usually generates such error when a visitor attempts to access a page that does not exist (broken or dead link). Webmasters can configure the servers to display a customized and more user-friendly 404 error page offering the sitemap, branding or other helpful information. This post shows how the hackers that broke into the web server through the compromised website exploited this mechanism to serve SPAM.
Background It is not a surprise that a Weak Password leads to a compromised website. What is not upfront obvious is the scale of the damage that could happen when such necessary security measure as a Strong Password is neglected. It is a must for every company and business to enforce strict policy for the creation and proper maintenance of the authentication details on every level and across all of the assets.
Background There is a wide blasting of SPAM emails that pretended to be a legitimate letter from Apple about your user account being used on a new device. Due to people's instinct to click on any link embedded in the email without analyzing the content, SPAM campaigns are usually very effective when disguised under a well known brand. SPAM investigation Let's take a deep look and spot the flaws of the email:
Background As it turned out during the malware clean-up of customer websites, hackers were using exactly this type of exploit to attack the site. Furthermore, the site got reinfected with malware as soon as someone accessed it. We got alarmed as the reinfection was so sudden, so we dig deeply and found out something else. Website Malware Incident Investigation Upon checking the access logs of the site, we found a very nifty but familiar entry on the records as shown below:
Background There is a Black SEO/Spam poisoning campaign running that targets mainly the WordPress websites. While handling several incidents related to it, we have discovered a new self-recovering WordPress oriented malware among other malicious components. Let’s take a look at all of them. Backdoors To Control The Attacked Website We still don’t know if there is any relation between infections but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:
During our incident response to the client's website, we found a vulnerability in the VTEM Skitter module of Prestashop CMS. Here is the code snippet of the uploadimage.php: $uploaddir = ‘./img/’; $uploadfile = normalize(pregreplace(‘/ /’, ‘’, basename($_FILES[‘userfile’][‘name’]))); if (move_uploaded_file($_FILES[‘userfile’][‘tmp_name’], $uploaddir.$uploadfile)) echo ‘success:‘.$uploadfile; else echo ‘error’; To test if your site is vulnerable, try going to your favourite browser and enter the following in the address bar: http:///modules/vtemskitter/uploadimage.
Information has been scattered all over the internet. Links after links are being distributed over the web through Facebook, Youtube, blogs, emails, text messages and any other form of online communication. Having said that, this also includes good and bad links which can cause problems to the visitors of these links. Unpatched sites are being exploited with a lot of infected redirections and do contain payloads to attack. A couple of weeks ago, we received a report about an unauthorized connection that the site makes whenever a visitor checks it.
There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites. Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet.
Ransomware has become very frequent this year, and our malware researchers encounter more and more cases of cryptographic file-locking attacks. Easiness of deploying, the wide range of targets and clear business model are probably the main reasons for such popularity of this kind of malware among cyber criminals. Any company or organization is a potential target as it has been proven earlier this year when U.S. hospital computers and cancer treatment equipment were shut down due to ransomware.
Infected Websites: How bad can it be? Here are the top reasons for having a website: Information Dissemination Personal Biography Marketing your business Online shopping Let's have a look at sample scenario: Your new and shiny website is ready and goes online to serve your goals. You are enjoying every activity involved in building up your online presence like sharing information, marketing your business, serving your online shoppers and much more.
Deobfuscation made easy with MalwareDecoder.com Battling malware has been a very competitive and very fulfilling task nowadays. It brings joy and confidence to each Malware Analyst that can discover or unravel the code being used for an attack or infection. We at Quttera, were able to help other Malware Analysts with their tasks by providing tools for them to be used in their analysis. We have tested it with one of the suspicious files that we got on one of our clean ups.
Malicious ads and website reputation Malvertising is one of the most profitable businesses in the cyber hacking industry. Exploiting website inventory is highly beneficial for cyber criminals as it is then sold to redirect traffic to gambling, adult, pharma and similar kinds of websites. Needless to say, that its damage to both publishing websites and advertising network reputation is huge. Ideally, Web Admins are the ones responsible for checking the Ads that their site is showing.
Website Defacement is just a click of a button In the past few months, Quttera malware researchers encounter a significant rise in website defacements by hackers. Government websites, among the others, were under such cyber-attack and thus getting a lot of attention and concern from the public. Interesting fact that, in some cases, hacker groups used defacement as their "cyber branding". The number of such sites being defaced is then used as a global ranking of a responsible hacker group.
Security tools serving good and bad This is a python script used by Cyber Security Analysts to check for vulnerabilities in website . Like any other network security tool, it is being utilized by many, meaning it was also being utilized by the bad guys a.k.a "hackers". While we were browsing the dark web, we stumbled upon a hacking forum where you need to take an exam before you could join their group.
RedKit Malware Still Alive RedKit Malware RedKit malware as detected by Online Malware Scanner Background Back in 2013, we posted about RedKit infecting significant number of websites. It appears that, three years later, the statistics of the websites submitted to online malware scanner show the revive of this malware among infected websites. Malicious action Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Traffic Distribution System (TDS) On Infected WebsitesThis malware technique is widely used to monitor and redirect traffic from compromised website to malicious content or paid referrals. In past, we highlighted similar cases in our blog: Blacklisted website used to drive traffic to ‘penny stock website’ Malicious TDS flow Malicious Traffic Distribution System diagram BackgroundThreatSign! client received complaint from his customer that his website got blocked when accessed from Google Chrome.
FilesMan Backdoor Malware On Your Computer FilesMan is being abused in the wild What is FilesMan? It is a File Manager used to explore the files in a computer. It is the most basic malware tool that attackers upload to your website as a form of backdoor to browse your files. Some of these File Managers are sophisticated and has their own GUI (Graphical User Interface), some are capable of uploading and downloading files from your website as if the attackers were in front of your computer browsing it personally.
What is Cross Site Scripting (XSS)? May 26th 2016 jetpack disclosed a XSS vulnerability discovered in their popular plugin. We would to take this opportunity and describe what is XSS. Cross Site Scripting or XSS attack refers to injection of the malicious code or malicious payload into pages of legitimate website. Further, when these compromised pages are visited by website users, the injected malicious code (or payload) is executed by client-side application (visitor's web browser) and performs the actual malicious action such as: redirecting visitor to another website, download and installation of malicious code, showing adult ads and etc.
Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.
$249
/ yr
$149
more plans
Need help? contactus@quttera.com
Join our mailing list to receive free email updates