Intro to Securing an Online Store – Part 2

Intro to Securing an Online Store – Part 2Last year, we introduced the theme of Securing an Online Store. We talked about how to identify the potential risks and what to look out for. These principles can help in satisfying PCI DSS requirements 8 & 10:

  • Requirement 8 – Identify and authenticate access to system components.
  • Requirement 10 – Track and monitor all access to network resources and cardholder data.

Continue reading Intro to Securing an Online Store – Part 2 at Sucuri Blog.

Source: Scuri check

Additional Crispiness on the MacOS box of apples sandbox

In November 2015 we first released our MacOS sandbox.    We now have a incremental feature improvements live on our site to help our users get further behavioral information from samples scanned with VirusTotal

Several improvements visible to users are:

  • Sandbox updated to OSX 10.11 El Capitan in sandbox.  We have a High sierra update planned for later this year. 
  • Detailed HTML analysis report is now available. 
  • Screenshots of the software under analysis to provide more contextual information:
    • Show screenshots of what a user would see
    • Help determine if the sample is waiting for user input
  • Network traffic reports updated
    • Country Detection
  • Timestamps on file operations,  to help show the sequence of events.
  • Process tree is shown if there is more than one level of processes

To view the detailed behavior report, click on the behavior tab, then select the Box of Apples sandbox, then click on the detailed report link

Click on the detailed behavior report. 

Some Samples that might be interesting, that contain the new features:
ec7241a6009f1fff38b481d8b4fd6efede4cc2f9d8ee20d9ca2b4ff66d656171
3b196c1c1a64aca81dec5a5143b3f2faaadcc4034b343f46f23348f34a2ef205
694c23b548249056bf90b2b2c252a8c9abfae4aeb611476cbdaa8dc112f79d8f

Screenshots and File operations

DNS, IP Traffic and Behavior tags

This is part of the Multi-Sandbox project.    We’ll continue to improve our own and 3rd party sandbox providers that wish to integrate sandboxes into VirusTotal.

If you find any issues, or have feature requests, please don’t hesitate to reach out to us by emailing  contact@virustotal.com

Source: VirusTotal

The Impacts of Zero-Day Attacks

The Impacts of Zero-Day AttacksLast week, we explained what zero-day vulnerabilities and attacks are. Essentially, zero-day vulnerabilities exist in the wild, with no patch available to prevent hackers from exploiting it. Today, we would like to expand on the impacts of these attacks.

What Do Zero-Day Attacks Depend On?

The impact a zero-day attack can have on your online presence can vary. Some of these effects include lost revenue, compliance violations, wasted time, and damage to your brand reputation.

Continue reading The Impacts of Zero-Day Attacks at Sucuri Blog.

Source: Scuri check

New Guide on How to Clean a Hacked Website

New Guide on How to Clean a Hacked WebsiteOur mission at Sucuri is to make the internet a safer place and that entails cleaning up hacked websites. We have teams who actively research website vulnerabilities and who are eager to share with you some tips on how to clean your hacked website.

We are happy to help the community learn the steps they can follow to get rid of a website hack.

You can find all our guides to website security in a section of our website dedicated to providing concise and comprehensive tips on different areas of website security.

Continue reading New Guide on How to Clean a Hacked Website at Sucuri Blog.

Source: Scuri check

Understanding Zero-Day Vulnerabilities & Attacks

Understanding Zero-Day Vulnerabilities & AttacksIn computer science, a vulnerability is considered to be a zero-day vulnerability if it’s unknown to all parties interested in patching it, such as:

  • The team maintaining the project
  • The users of the project
  • Vulnerability researchers

Vulnerability researchers are the good guys – people who won’t take advantage of the vulnerability for their own gain and who will exercise responsible disclosure.

Let’s illustrate this concept with a small example.

Continue reading Understanding Zero-Day Vulnerabilities & Attacks at Sucuri Blog.

Source: Scuri check

Wikipedia Page Review Reveals Minr Malware

Wikipedia Page Review Reveals Minr MalwareSince December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag).

This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clod[.]pw.

Continue reading Wikipedia Page Review Reveals Minr Malware at Sucuri Blog.

Source: Scuri check

Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

Unwanted Pop-ups Caused by Injectbody/Injectscr PluginsOn February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads.

Plugin Location

The malicious plugins possess a very similar file structure:

Injectbody

wp-content/plugins/injectbody/

  • injectbody.php: 2146 bytes (the plugin code)
  • inject.txt: 2006 bytes (injected JavaScript)

Injectscr

wp-content/plugins/injectscr/

  • injectscr.php: 1319 bytes (the plugin code)
  • inject.txt: 3906 bytes (injected JavaScript)

The functionality of these plugins are also very similar.

Continue reading Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins at Sucuri Blog.

Source: Scuri check

Sucuri Website Backups Product Update

Sucuri Website Backups Product UpdateWe’re excited to be sharing some changes we’ve recently pushed for our Website Backups product.

If you’re not familiar with this feature, Sucuri Website Backups allow you to completely backup your files and database in our secure infrastructure. In a worst-case scenario, where files or databases are overwritten or deleted, these backups make it easy to restore your website to its previous condition. By backing up your website, you ensure that you’re covered in the event of a critical failure.

Continue reading Sucuri Website Backups Product Update at Sucuri Blog.

Source: Scuri check

How to Add Security to Your Client’s Websites

How to Add Security to Your Client’s WebsitesWebsite security has crossed the mind of nearly every website owner. However, as a website security company, we know that most webmasters come to us after the fact, when their website has already been compromised. Once hackers have taken over, website owners regret not having protected it when the website was initially launched.

Today, we want to address specifically website service providers. This article aims at explaining to developers, SEO firms, hosts, and web agency owners why offering website security to clients can be very important.

Continue reading How to Add Security to Your Client’s Websites at Sucuri Blog.

Source: Scuri check

Identifying Email Phishing

There are two types of email phishing:

  1. Phishing emails that come to you
  2. Phishing emails that come from you

Consumers are typically the target of phishing emails, while the domains of businesses with great brands are typically used to send the false emails.  In a separate blog post, our experts discuss how to recognize phishing email in your inbox.  In this post, we will discuss recognizing phishing email that leverages your business’s domain.

Why would I care if phishing comes “from” my domain?

Put yourself in the place of your customers, partners and suppliers.  If you received an email that appeared to be from one of them but it turned out the be phishing, would you still trust them?  Would that erode their brand in your mind?  Would you be more likely to check their legitimate emails for mistakes, issues, and threats?  Phishing using your domain hurts your brand, even when your customers know that you are not responsible!

Further, phishing puts your email delivery at risk.  Increasingly, email inbox providers like Google, Yahoo! and Outlook.com look at the domain an email comes “from” and what the reputation of that domain is in their systems.  If your domain name has been used for phishing, then all of your email may come under additional scrutiny.  If uncontrolled, this could lead to mistaken blacklisting or lower inbox placement.

How do I recognize phishing from my domain?

Occasionally, email recipients will ask you directly “Did you send this email?”, but by then, it’s already too late.  Phishing emails are like cockroaches – seeing one means potentially hundreds hidden in the woodwork.  Without adopting three new(ish) technologies, you really can’t know when your domain is being used for fraud and phishing.

The technologies you need to think about are SPF, DKIM and DMARC, and each work together.  SPF allows you to tell the world who can send email on your behalf, DKIM allows you to digitally sign your emails and DMARC allows you to designate an email address for feedback on your email, among other things.  Once you have SPF and DKIM setup for most of your email, you can get feedback on your email via the email address in the DMARC record.  Each email inbox provider (Google, Yahoo!, Outlook.com, etc.) will provide feedback containing everyone sending email for your domain – legitimate and phishing – that they received.  You’ll want to comb through that feedback to identify IP addresses and domains not legitimately connected to your business.

How do I stop phishing with my domain?

Here again, SPF, DKIM, and DMARC are important technologies to understand.  IP addresses and Domains that fail alignment or authentication with SPF, DKIM or DMARC will be likely candidates for phishing scams.  However, these may also be legitimate senders that are misconfigured or not included in you SPF.  You will want to investigate each to make a determination as to their legitimacy.

Once you are sure you know who is legitimate and that they are passing SPF, DKIM and DMARC checks, you can begin to tell inbox providers what to do with email that fails these checks.  DMARC allows you to set the steps a recipient should take with email that is failing SPF, DKIM and/or DMARC checks:

  • None – Do Nothing
  • Quarantine – Set this email aside and tell me you quarantined it
  • Reject – Bounce the email entirely

Your DMARC record also allows you to set the percentage of traffic subject to these rules, from 0-100%.  This level of granularity is important in allowing you to control how quickly you move all of your email to a reject status.  In this way you can test to see if any legitimate email is affected without negatively impacting your business.  Once you reach a 100% Reject policy, you will be filtering out all of the phishing using your domain.

How can MxToolbox help?

MxToolbox is your Expert in Email Delivery.  We understand how complex SPF, DKIM and DMARC can be to understand and implement and how costly fraud and phishing can be to your brand.  Our team has created a new product called Fraud Center that includes assistance from our expert support team to help you through this journey.  Fraud Center provides insight into both legitimate and illegitimate email sent on behalf of your domain as well as:

  • Configuration suggestions for your SPF, DKIM and DMARC
  • Consolidated reporting across inbox providers
  • Recommendations for when to change DMARC policies
  • Forensic examinations of rejected email
  • Access to our expert support to help you with Email Delivery

Source: MXtoolbox

Managing the Reputation of 3rd Party Emailers

Whether you use 3rd parties as inbox providers, bulk emailers, CRMs, marketing automation, order management, support ticketing, calendaring or any other task, they are more than likely an integral part of your day-to-day business.  But, are you managing their reputation?  Is their email reputation harming yours?

Your email reputation is highly dependent on who is sending email on your behalf so it needs to be managed.  Think about it – if a 3rd party emails one of your customers and they are blacklisted or mis-configured then how does that reflect on you?  Not only is there a risk that the email might not make it to your intended recipient, it might get lodged in their junk email.  Regardless, your reputation, and email delivery, is tied up with that of your 3rd party providers.

So, how do you manage the reputation of a 3rd party?

The minimum step to managing 3rd party reputation is to setup Blacklist Monitoring of all the outbound IP addresses they use for your email.  With monitoring, when your email providers get blacklisted, you get alerted to the issue.  Under normal operations, there is a general risk of blacklisting, especially for bulk email providers.  However, the more frequently a provider is blacklisted and the larger the proportion of their network is blacklisted, the bigger the risk for your business.

The best method for managing 3rd party emailers involves adopting DMARC, DKIM and SPF technologies.  These technologies allow you to take control over who is sending on behalf of your domain and receive feedback on how emails sent by you and your 3rd parties are being received and handled.  DMARC, DKIM and SPF have become business requirements for anyone sending email at more than small volumes.

Using DMARC to manage 3rd parties

When you begin receiving DMARC digests, you will have feedback on how all email purporting to come from your domain is passing SPF, DKIM and DMARC tests at recipient email boxes.   You can look up the IP addresses and domains of your email providers in these reports to determine if they are passing.  Any legitimate senders not passing SPF will need to be added to your SPF records.  Any legitimate senders not passing DKIM will need to be contacted so that DKIM can properly be configured for those providers.  You may potentially need to examine whether or not you want to continue your relationship with some providers if they cannot improve performance.

MxToolbox helps you manage your email providers

MxToolbox Delivery Center is the best way to manage 3rd party email providers.  Rather than forcing you to deal with raw XML digests, MxToolbox Delivery consolidates and report on all the IP addresses and domains sending on your behalf across all inbox providers.  You get clear reports, filtered by date, provider, IP address, SPF record and more of who is passing and failing SPF, DKIM and DMARC alignment, authentication, and compliance.

mdcpro_overview

With Delivery Center, you get something no other company provides – blacklist information on your providers.  We monitor the reputation of the senders in your SPF record and alert you when one of those senders is blacklisted.  You also receive full analysis of your SPF, DKIM and DMARC records for RFC compliance and best practice recommendations for configurations.  Learn more about MxToolbox Delivery Center.

Source: MXtoolbox

What is a WAF?

What is a WAF?Have you ever wondered what WAF means?

WAF stands for Website Application Firewall. In order to make it simple to understand, imagine your website as a house and the people outside on the streets are the traffic that wants to come to your website.  Of course, you want to open your door to friends and family, but you also want to protect your house from the bad guys.

Continue reading What is a WAF? at Sucuri Blog.

Source: Scuri check

Identifying Legitimate Emailers

Email management has become more complicated over the last few years.  It used to be that only IT could setup email services for a company.  Now, almost anyone can setup email services on behalf of an organization.  Increasingly often, Marketing, Sales and other organizations are subscribing to SaaS services like Marketing Automation, CRMs, Bulk Emailers, etc that often send email for these organizations to customers, vendors, partners and suppliers.  If not properly managed, you can lose control of your legitimate email and cause email delivery problems that impact your business.

How do you Identify Legitimate Emailers?

First, you need to adopt two important technologies: SPF and DMARC.  SPF allows you to designate IP addresses and domains that can send on behalf of your domain.  Add all your known providers to your SPF record to ensure email from those providers is properly received and processed by inbox providers.  You can find out more information about SPF and how to create SPF records on our site.  DMARC enables you elicit information from inbox providers on how email send on behalf of your domain is being received and processed.  This will contain data on both legitimate and illegitimate senders like fraud and phishing.  MxToolbox provides DMARC configuration and validation tools.

The second step to identifying missing legitimate providers is to start reading the digests inbox providers send to your DMARC response address.  To do this, you’ll either need some skill with reading XML and a lot of patience or a service that consolidates, processes and analyzes DMARC digests from inbox providers.  The larger your email volume, including illegitimate email, the harder it is for you to process these digest by hand.

Examine unknown

Delivery Center differentiates emailers in your SPF and those potentially illegitimate senders.

MxToolbox has developed a product to help businesses like yours analyze DMARC compliance and responses to improve your email configuration, email deliverability and your online brand reputation.  MxToolbox Delivery Center gives you instant access to statistics on email delivery and email reputation including all the IP addresses and domains sending on your behalf.  Tools like Delivery Center are the best way to find legitimate senders not in your SPF records.

The last step to identifying unknown legitimate emailers, once your SPF and DMARC records are setup and delivering digests to your choice of tool, is to examine who is sending on your behalf.  Tools like Delivery Center show statistics about SPF Authentication, SPF Alignment, and DMARC compliance.  Emails that pass these checks are more likely to reach your customers inboxes.  Emails that fail are more likely to be tossed into junk folders or bounce entirely.  Looking at sending IP addresses and domains can give you insight into potential legitimate senders that you may have missed in your SPF records and the potential for fraud and phishing emails from senders posing as you.

To identify Legitimate Senders:

  1. Review the largest volume senders that fail SPF, DKIM and DMARC
  2. Investigate the Domains and reverse DNS of the IP addresses – Do they look like legitimate email providers?  Legitimate providers own a number of IP addresses, have a website that shows off their products and pricing.  These could also be legitimate email forwarders, even if you are not specifically doing business with them.
  3. Investigate the Blacklist reputation of IP addresses and domains – Are they blacklisted?  Legitimate providers may have a small portion of their network blacklisted as part of their business but if a large portion of that network is blacklisted they may not be a good provider to use or may be shady.
  4. Investigate the location of the IP addresses or ASNs – Are they sending from a country that you don’t operate in?  Are they sending from a country with known hacking issues?
  5. Slice and dice the data – No single view will give you every angle.  Looking up DKIM domains or SPF domains, sender domains or Mail From headers can give you insight.  The trick is to have a tool that enables you to review your DMARC digests from all angles.
  6. Be patient and repeat often – You won’t solve your email delivery issues in a single day or a single pass.  This is something that you need to review on a regular basis, especially since you may be adding or changing legitimate senders frequently.
mdcpro_inbox

MxToolbox Delivery Center gives you access to compliance and authentication information with multiple views to give you the best insight into your email delivery.

 

DMARC is the key to improving Email Deliverability!

Email is the key to your customer communication strategy.  But, what is your email reputation?

Setting up and managing your DMARC configuration is the key to getting insight into your email delivery.  MxToolbox is the key to understanding DMARC.

MxToolbox Delivery Center gives you:

  • Who is sending phishing email purporting to be from your domain
  • What is the reputation of your domains and delegated IPs
  • Where other senders are and What their reputations are
  • How your SPF, DKIM and DMARC setup is performing

Learn More

Source: MXtoolbox

VirusTotal and Chronicle

It’s been more than five years since Google acquired VirusTotal. Today we have another update: VirusTotal will moving to become part of Chronicle, a new Alphabet company focused on cyber security. This update, like our move to Google a few years back, does not change the mission or focus of VirusTotal. We’ll continue to operate independently, focused on our mission of helping keep you safe on the web.

For press inquiries, please contact press@chronicle.security

Source: VirusTotal

Cloudflare[.]solutions Keylogger Returns on New Domains

Cloudflare[.]solutions Keylogger Returns on New DomainsA few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains.

Keylogger Spreads to New Domains

A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down.

Continue reading Cloudflare[.]solutions Keylogger Returns on New Domains at Sucuri Blog.

Source: Scuri check

DMARC Record Missing Alerts

Have you heard of DMARC?  It is the newest way to protect your email delivery and online reputation from delivery failures, misconfigurations and fraud and phishing attempts.  If you aren’t using DMARC, you are at risk from email delivery failures.  Learn more about DMARC, DMARC Compliance and Email Delivery.

Since DMARC is such a pivotal technology, we have decided that our customers need to be alerted when it is not configured.   Therefore all MX record lookups will show a critical warning when a DMARC record is not found (see below).  Paid users with MX monitors will receive critical alerts that a DMARC record is missing or misconfigured for their domain.

DMARC record missing.png

MxToolbox experts feel that DMARC is critical to your business success.  Our team is ready to help you with your DMARC configuration and transition to a focus on proactive email delivery management.  Our most recent products MxToolbox Delivery Center and MxToolbox Fraud Center leverage DMARC to improve your email delivery and protect your brand from email fraud.

Source: MXtoolbox

SQLi Vulnerability in YITH WooCommerce Wishlist

SQLi Vulnerability in YITH WooCommerce WishlistAs part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store and is currently installed on 500,000+ websites.

Are You at Risk?

This vulnerability is caused by the lack of sanitization of user-provided data in versions below 2.2.0.

Continue reading SQLi Vulnerability in YITH WooCommerce Wishlist at Sucuri Blog.

Source: Scuri check

What is Email Phishing?

There has been a lot of discussion about Email Fraud and Phishing lately.  Email is still the largest threat vector for hacking and information theft.  Email phishing is one of the best way to obtain access to accounts, but what is email phishing really?

Phishing is when a 3rd party, typically a hacker or malicious website, uses the brand identity of a company to lull a user into exposing private information.  Phishing emails target email address with an email that looks just like a legitimate service provider to implant malware in a download or obtain login credentials for that domain.  For example, you might receive an email that looks like it comes from a financial institution like Paypal (see mine below) asking you to download a document or go to a link to stop or start a transaction, or change your password.

phishingemail

Example Phishing Email

Identifying Phishing Emails

Phishing groups and hackers are constantly changing their patterns to improve both their targeting and the effectiveness of their emails in order to exploit users, but there are a few characteristics in common for every phishing email.

Phishing emails leverage a strong brand

In my example, the “From” email address used Paypal’s, but I have seen it with many big brands, especially in credit cards, financial, banking and insurance industries.  Ask yourself:  Do you really have an account? Is this the email address for that account? Have you done anything with the account lately?

There is a sense of urgency

The email will require you to “act soon” or it will cost you money.  This sense of urgency makes you react before you think.  Take a breath before acting on any email that looks really important.  

Quality Varies

Some phishing emails, like the one above, look good on the surface.  For example, the logos look correct, the fonts and color scheme are appropriate and some of the language is even straight from legitimate emails.  However, when you read deeper you can see spelling mistakes, grammatical errors or other areas where it is clear the writer was not a native English speaker.  Notice above that “DeLL” is not written correctly nor is the phrase “This not you?” proper English.  Take a moment to read the information presented in the email and check grammar and spelling.

“From” domain and Return Path Domain will not match

It is relatively easy to spoof a “From” address.  Email Standards allow 3rd party emailers to send email on behalf of another domain, otherwise inbox providers like Google and Outlook.com or bulk email providers could not send email for the business or personal domains they host.  If “From” and Return Path do not match and the Return Path looks random or shady, it’s a good chance you have a phishing email.  Further, most companies will not use a 3rd party to send important account information emails like the one above, but their own internal servers.  Check the Return Path email address in the header to see if it looks legitimate.

There is an attachment

If you are required to download anything that you did not ask the company for, then it is probably a phishing email and may contain malware.  Even PDFs or DOCs can contain malware payloads.  At minimum, they are trying to lull you into thinking that their fake document is valid so that they can get personal, private or financial data from you.  Do not download attachments you did not ask for.

Links on the page go to a different domain

Often a phishing email will include a link to a 3rd or 4th domain or just to an IP address.  The goal here is to get you to click unsuspectedly on any link so they can further the con and grab your information when you attempt to login to their fake website.  Sometimes the domains even look like subdomains or related domains.  Always check links before clicking on them.  If in doubt of any link, open a clean window and navigate to the company’s website and login to your account from there to check on the issue.  

About MxToolbox

MxToolbox is the expert in email delivery, including the prevention of fraud and phishing.  Our focus is to help companies reduce the threat to their brand so that their customers, users and employees can trust that emails “From” their domain are legitimate.  Our Fraud Center product leverages international standards DMARC, DKIM and SPF combined with cutting edge algorithms to help small-enterprise companies halt phishing emails from their domain.  Learn More

Source: MXtoolbox

VirusTotal Graph

VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.


It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.


It is a visualization tool built on top of VirusTotal’s data set. It understands the relationship between files, URLs, domains and IP addresses and it provides an easy interface to pivot and navigate over them.



By exploring and expanding each of the nodes in your graph, you can build the network and see the connections across the samples you are studying. By clicking on the nodes, you can see at a glance the most relevant information for each item. You can also add labels and see an in-depth report by going to VirusTotal Public or VirusTotal Intelligence report.


The tool is available in https://www.virustotal.com/graph/ or through a public report in the tool section (VirusTotal login is required):



You can save the graphs, so that you can go back to your investigation any time and share your findings with other users. By clicking in the bottom right corner we generate a permalink which loads the graph as you see it in your screen. All saved graphs are public and linked in VirusTotal public report when the file, URL, IP address or domain appear in the graph. We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon.
The documentation is available at


These are two YouTube videos explaining the main features:
Files Tutorial 1 – https://youtu.be/QEqHXU04IkI
Domain Tutorial 2 – https://youtu.be/xe2busIlkP4
Last but not least, we are still in an early stage of the tool and we’d be delighted to receive your feedback/comments here.

Source: VirusTotal