Top website security posts by Sucuri – December 2019


A monthly round-up of website security topics.

Our Malware Research and Incident Response teams work around the clock to identify emerging threats — and we’re proud to share our knowledge and findings with the community.

We’ve gathered a few of our most popular posts from December to educate you about the latest trends and tips in website security.


The anatomy of credit card stealing malware. 

Over the past few years, one of the largest trends in web-based malware has been credit card stealers — also known as credit card skimmers.

So, what are credit card stealers?

Easily one of the most straightforward methods for hackers to generate a profit, credit card stealers allow hackers to collect valuable personal information and real credit card details from a compromised website.

Once the hacker gets their hands on the stolen information, it’s only a matter of time before they abuse it for online purchases or other nefarious purposes.

Skimmers can steal personal information and credit cards from hacked sites.

Credit card stealers pose a serious risk for any website owner. Consequences include a significant impact to site reputation, loss of customer trust, and compliance issues.

How do hackers infect websites?

Infection mechanisms for credit card stealing malware are the same as any type of infection. Typically, hackers leverage a known vulnerability in the website’s environment — which can come in the form of a software vulnerability in a plugin, theme, or the CMS itself.

Usually, modern attacks are automated “search and infect” attacks, which simply seek out vulnerable websites. If a vulnerability is found, it is exploited and the infection begins.

Automated attacks often exploit known vulnerabilities to plant malware.

Who are the targets of credit card stealing malware?

Credit card stealing malware is often found on the websites of online merchants or sites that accept online  payments. Occasionally, an automated attack may also plant a credit card skimmer on a regular website that doesn’t even collect payments.

Finding a credit card stealer on a non-ecommerce website shouldn’t be taken lightly. This is a serious indication that the website has been compromised and may contain other types of malware, including website backdoors.

Common types of credit card stealers. 

There are almost too many variations of credit card stealers to count. Credit card skimmers can be found as small snippets of code injected into files, or complex and robust standalone files concealed within a hacked environment.

Here’s an example of what a simple four-line credit card stealer looks like:

Credit card stealing malware can also be found as database injections, obfuscated code snippets, and file includes within the core CMS — or they can even load malicious third-party scripts on the website.

Read more from the original post by Peter Gramantik. 


How passwords get hacked. 

Consider for a moment the sheer number of passwords you use in a day. Passwords are an essential component for securing web applications, banking credentials, email accounts, social media accounts, and other popular web based services.

It can certainly be tough to keep track of credentials — or generate new secure passwords if your account’s authentication is set to expire. This disdain most users have for proper password maintenance often leads to bad password practices and can sometimes benefit bad actors.

So, how does an attacker hack a password?

Attackers usually employ dictionary attack tools to help them compromise an account. These tools make multiple login attempts using a list of known, popular passwords.

Dictionary attack tools help hackers attempt thousands of passwords against an account.

Attackers will try every password from the list until a match is found — at which point the attacker might log in with the stolen credentials to plant a backdoor for future entry.

Sometimes, hackers even publish their successful password attempts after a successful attack, making it easy for other bad actors to use lists and gain unauthorized access to accounts.

Password security best practices.

A strong, unique password is key to protecting your account. The best passwords do not contain obvious combinations of numbers or letters.

Passwords should always be long, complex, and contain a mixture of upper and lowercase letters, numbers, and special characters.

Use a password manager.

Found in the form of browser extensions as well as mobile and desktop applications, password managers often offer the ability to generate and securely store them for future use.

Read more from the original post by Justin Channel. 


Why hackers create phishing campaigns. 

Attackers design phishing campaigns for a number of reasons and are typically used to gain privileged access or sensitive information.

Phishing campaigns can come in the form of fake websites, phone numbers, emails — or even in person.

Phishing for financial information.

One of the most common goals is to obtain sensitive financial data. This information might include credit card details, bank credentials, or they might even trick victims to send money to the attacker.

Fake banking websites and landing pages are regularly used in phishing campaigns to harvest financial credentials when a user tries to log in.

Personal information obtained in phishing attacks.

Stealing sensitive personal information is another common goal for attackers. When obtained, a victim’s identity can be stolen and profited from.

Some common types of personal information targeted by phishers include:

  • Social security numbers (SSN)
  • Names
  • Addresses

Attackers may also phish for lesser-known information, including:

  • Name of your favorite teacher
  • Name of your first pet
  • Street where you grew up

The answers to these types of questions are commonly used for identity verification and account recovery. Using this information, an attacker might be able to recover an account or reset a password without the victim being aware that they are targeted.

Unauthorized access to websites or computers.

Sometimes, attackers simply seek to add more victims to a compromised network. They might target a website owner to steal credentials, compromise the website, and then exploit the site for their own nefarious purposes.

Protecting yourself against phishing.

There are a number of precautions that you can take to recognize the signs of a phishing campaign.

For example, if a page looks legitimate but contains an unusual request, double-check the URL to make sure that it’s the correct domain name to ensure that it’s genuine.

Phishing attempts may also include urgency in their messaging to trick victims into skipping over important details. Pay close attention to branding and URLs, along with typos. If the content tries to rush you or tells you that it requires an immediate action, this is definitely a red flag.

If something looks a bit phishy or sounds too good to be true, don’t click on the page, open the attachment, or engage with the pop-up.

Read more from the original post by Antony Garand.

%d bloggers like this: