Naughty or Nice Websites

Naughty or Nice WebsitesSanta Claus is coming! Was your website naughty or nice this year?

Here is a quick checklist of the top 10 bad things that can harm your website security and the top 10 good things that can improve your website security.

Naughty Websites List

If your website falls into any of these categories, this is the perfect time of year to start thinking about improving your security posture.

1 – My website has outdated software.

Continue reading Naughty or Nice Websites at Sucuri Blog.

Source: Scuri check

OWASP Top 10 Security Risks – Part III

OWASP Top 10  Security Risks – Part IIITo bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks.

The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

  1. Injection
  2. Broken Authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken Access control
  6. Security misconfigurations
  7. Cross Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with known vulnerabilities
  10. Insufficient logging and monitoring

In our previous posts, we explained the first four items on the OWASP Top 10 list.

Continue reading OWASP Top 10 Security Risks – Part III at Sucuri Blog.

Source: Scuri check

Fake Volkswagen Campaign Spreads Through Social Networks

Fake Volkswagen Campaign Spreads Through Social NetworksWe recently investigated a suspicious link received by one of my colleagues on WhatsApp. The message (in Portuguese) states that Volkswagen is offering 20 free cars until the end of the year, and directs users to participate on a site that has been apparently crafted especially for this “event”.

After an initial investigation, it became clear that something was not right with the site. Several security vendors blacklisted it as a phishing site–although fishy, none of the classic phishing characteristics were present.

Continue reading Fake Volkswagen Campaign Spreads Through Social Networks at Sucuri Blog.

Source: Scuri check

Your Email Delivery Checklist

Email delivery can be complicated.  New technologies have emerged to help inbox providers protect themselves and their customers from spam and fraud emails, but these can also stop legitimate emails from being delivered.  How do you protect your email delivery?

Our MxToolbox Email Experts have created a checklist to help you improve your email delivery.  Learn more

Source: MXtoolbox

Localization and Customization of Credit Card Stealing Malware

Localization and Customization of Credit Card Stealing MalwareCredit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site.

Recently, we’ve come across another level of customization.

Fake Payment Form in Bulgarian

A compromised Magento site had the following script injected into its core_config_data table.

hxxps://elegrina[.]com/assets/<domain>.js,  where <domain> was the second-level domain of the infected site.

Continue reading Localization and Customization of Credit Card Stealing Malware at Sucuri Blog.

Source: Scuri check

Using Innocent Roles to Hide Admin Users

Using Innocent Roles to Hide Admin UsersAll across the internet, we find guides and tutorials on how to keep your WordPress site secure. Most of them approach the concept of user roles, but not many actually approach the capabilities of those roles.

The way the capabilities are handled on WordPress makes it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

First, let’s take a look at how WordPress manages the capabilities of the roles and what they are allowed to do, such as:

  • add users;
  • remove users;
  • create posts;
  • delete posts, etc.

Continue reading Using Innocent Roles to Hide Admin Users at Sucuri Blog.

Source: Scuri check

Homeland Security Directs Agencies to Adopt DMARC

As a business or a government agency, you may wonder “why would I spend the time and money to adopt DMARC?”  The answer is that DMARC can help ensure your emails get delivered and protect your brand and customers from phishing and fraud while giving you valuable information about the email you are sending, including SPF alignment, DKIM authentication and forensic information on failures and the quality of the configurations of your senders.

Because of the inherent value in adopting DMARC, the US Department of Homeland Security and the UK government have made DMARC adoption a requirement for government agencies.  If you aren’t ready to adopt DMARC, you’re behind.  But, MxToolbox can help you.  Learn More

Source: MXtoolbox

What is Phishing?

What is Phishing?Phishing is a serious threat to any industry. We have seen this topic appear in the news more each day. You might have already received a fraudulent email from what seemed to be your bank or even seen the hacking that took place during the 2016 US presidential election. But what do you know about phishing?

What is Phishing?

Phishing is the fraudulent attempt to obtain sensitive information like login information or other personal identification information (PII), which is any data that could potentially identify a specific individual, such as:

  • usernames,
  • passwords,
  • credit card details,
  • SSN (Social Security Number),
  • bank account information,
  • email,
  • phone number,
  • secret question answers

Even partial information can increase the chances of success to subsequent social engineering attacks.

Continue reading What is Phishing? at Sucuri Blog.

Source: Scuri check

Fear, Uncertainty, and Doubt

Fear, Uncertainty, and DoubtThere’s a term for the practice of scaring potential customers into purchasing products or services they don’t need: FUD; fear, uncertainty, and doubt. This practice is widespread in the computer/IT industries at large, but is especially present in the security industry.

People don’t want to get hacked—but may also not understand the issues and forces at play. This makes them easy targets for overzealous sales representatives who see an opportunity to use misinformation to increase their paycheck via commission payouts.

Continue reading Fear, Uncertainty, and Doubt at Sucuri Blog.

Source: Scuri check

VirusTotal += Trapmine

We welcome Trapmine scanner to VirusTotal. In the words of the company:

“Trapmine ThreatScore is a machine learning-powered malware detection engine developed to identify known and never-before-seen malware. This engine is a part of TRAPMINE Endpoint Detection & Protection Platform. Trapmine combines machine learning, behavior monitoring and endpoint deception techniques to provide fool-proof defense against malware, exploit attempts, file-less malware, ransomware and other forms of targeted attacks. Windows PE files submitted to VirusTotal will be analyzed by Trapmine ML engine and the verdicts will be displayed to VirusTotal users.”

Trapmine has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.
Source: VirusTotal

VirustTotal += Trapmine

We welcome Trapmine scanner to VirusTotal. In the words of the company:

“Trapmine ThreatScore is a machine learning-powered malware detection engine developed to identify known and never-before-seen malware. This engine is a part of TRAPMINE Endpoint Detection & Protection Platform. Trapmine combines machine learning, behavior monitoring and endpoint deception techniques to provide fool-proof defense against malware, exploit attempts, file-less malware, ransomware and other forms of targeted attacks. Windows PE files submitted to VirusTotal will be analyzed by Trapmine ML engine and the verdicts will be displayed to VirusTotal users.”

Trapmine has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.
Source: VirusTotal

Navigating Data Responsibility

Navigating Data ResponsibilityAs we take a step back and think about how much the Internet has grown over the past 20 years, we realize how much content/data has been made available to everyone.

Moving forward, there’s no reason to expect data availability to slow down. In fact, insideBIGDATA claims:

There are many sources that predict exponential data growth toward 2020 and beyond. Yet they are all in broad agreement that the size of the digital universe will double every two years at least, a 50-fold growth from 2010 to 2020.

Continue reading Navigating Data Responsibility at Sucuri Blog.

Source: Scuri check

A Scam-Free Cyber Monday for Online Businesses

A Scam-Free Cyber Monday for Online BusinessesEvery year we see an increase in website attacks during the holidays. 

While business owners see their sales go up due to promotional Black Friday and Cyber Monday campaigns, hackers are in the background working nonstop to create malicious, fraudulent websites as well as take advantage of legitimate ones.

Main Cyber Monday Threats
Phishing Pages

One of the major risks to consumers is phishing campaigns.

Carefully crafted phishing login pages convince users they are logging into a valid service.

Continue reading A Scam-Free Cyber Monday for Online Businesses at Sucuri Blog.

Source: Scuri check

PCI for SMB: Requirement 9 – Implement Strong Access Control Measures

PCI for SMB: Requirement 9 – Implement Strong Access Control MeasuresWelcome to the sixth post of a series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires).

In the previous articles written about PCI, we covered the following:

  • Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.

Continue reading PCI for SMB: Requirement 9 – Implement Strong Access Control Measures at Sucuri Blog.

Source: Scuri check

Real-Time Fine-Tuning of the WAF via API

Real-Time Fine-Tuning of the WAF via APIThough the Sucuri Firewall is simple to set up and protects your website immediately, it’s possible to have granular control of the WAF by using an API.

For instance, there’s a specific filter inside the WAF dashboard called Emergency DDoS. This filter basically increases the strength of the DDoS protection to an “emergency” level where most non-human access is blocked.

API to Boost Firewall Protection

The Firewall API is mostly used for whitelisting and clearing the website cache.

Continue reading Real-Time Fine-Tuning of the WAF via API at Sucuri Blog.

Source: Scuri check

Hackers Change WordPress Siteurl to Pastebin

Hackers Change WordPress Siteurl to PastebinLast Friday, we reported on a hack that used a vulnerability in the popular WP GDPR Compliance plugin to change WordPress siteurl settings to erealitatea[.]net. At that time it was not clear who was behind the massive attack, since the erealitatea[.]net domain didn’t work and the infection simply broke the compromised sites. Our SiteCheck scanner detected the infection on about 700 sites over the weekend and PublicWWW now currently returns 573 results.

Continue reading Hackers Change WordPress Siteurl to Pastebin at Sucuri Blog.

Source: Scuri check

Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability

Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin VulnerabilityWe have noticed a growing number of WordPress-based sites that have had their URL settings changed to hxxp://erealitatea[.]net. Further investigations show that the issue is related to a security vulnerability in the WP GDPR Compliance plugin for WordPress (with 100,000+ active installations).

The new General Data Protection Regulation (GDPR) laws in the EU have made the plugin extremely popular. Many sites are looking for an easy way to comply with these new laws, and adding this plugin is a simple solution for many website owners.

Continue reading Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability at Sucuri Blog.

Source: Scuri check

10 Tips to Improve Your Website Security

10 Tips to Improve Your Website SecurityHaving a website has become easier than ever due to the proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal, Magento, and others allow business owners to build an online presence rapidly. The CMS’s highly extensible architectures, rich plugins, and effective modules have reduced the need to spend years learning web development before starting to build a website.

The ease of launching an online business or personal website is great.

Continue reading 10 Tips to Improve Your Website Security at Sucuri Blog.

Source: Scuri check