Portal Home > Knowledgebase > Security > Sucuri's Hacked Website Report 2017


Sucuri's Hacked Website Report 2017




Sucuri has published his annual report here.
Some interesting facts worth to be highlighted:

The 2017 telemetry indicates a shift in CMS infections:

  • WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
  • Joomla infection rates have dropped from 17% in 2016 Q3 to 13.1% in 2017.
  • Magento infection rates rose marginally from 6% in Q3 2016 to 6.5% in 2017.
  • Drupal infections dropped slightly from 2% in Q3 2016 to 1.6% in 2017.

We are seeing an interesting shift in the number of out of date, vulnerable versions of WordPress at the point of infection. At the end of Q3 2016, 61% of hacked WordPress sites recorded outdated installations, however, this has since decreased. In 2017, only 39.3% of clean up requests for WordPress had an outdated version.

Joomla! (84%) and Drupal saw more than a 15% decrease in outdated versions from the previous year, down to 69.8% and 65.3% respectively.

Similar to previous years, Magento websites (80.3%) were mostly out of date and vulnerable at the point of infection; though this number has declined over 13% since Q3 2016.

When a website has been flagged by a blacklist authority (such as Google), the results are devastating. Blacklisting can affect how visitors access a website, how it ranks in Search Engine Result Pages (SERP) and how adversely it can affect communication mediums like email.

Per our analysis, approximately 17% of the infected websites were blacklisted (a 2% increase from 15% in Q3 - 2016).
During 2017, the two most prominent blacklists were Norton Safe Web and McAfee SiteAdvisor; both of these groups accounted for 45% of blacklisted websites.

Google Safe Browsing captured only 12.9% of the blacklists, which is a decline from previous years.

Several other blacklisting authorities flagged 19.8% of websites. These blacklists include PhishTank, Spamhaus, and a couple of smaller groups.

Over the course of the previous year, 71% of all compromises had a PHP-based backdoor hidden within the site. These backdoors allow an attacker to retain access to the environment long after they have successfully infected the website and performed their nefarious acts. This gives attackers the opportunity to bypass any existing access controls into the web server environment. The effectiveness of these backdoors comes from their elusiveness to most website scanning technologies.

Backdoors often function as the point of entry into the environment, post-successful compromise (i.e., the ability to continue to compromise). Backdoors themselves are not often the intent of the attacker. The intent is in the attack itself, found in the form of conditional SEO spam, malicious redirects, or drive-by-download infections.

We also saw a marginal decline in malware distribution – from 50% in Q3 2016 to 47% in 2017. Mailer script infections held steady at 19% from the previous report.

Approximately 44% of all infection cases in 2017 were misused for SEO spam campaigns; up 7% from our last report. These campaigns often occur through PHP, database injections, or .htaccess redirects where the site was infected with spam content or the site redirected visitors to spam-specific pages. The content used is often in the form of pharmaceutical ad placements (i.e., erectile dysfunction, Viagra, Cialis, etc.) and includes other injections for industries like fashion and entertainment (i.e. cheap Ray-Bans, gambling, pornography).



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read

Powered by WHMCompleteSolution