Attackers turn to stealthier techniques

Read time 4min 40sec

Research into threats affecting Web sites in 2018 revealed a new trend: threat actors appear to be employing more low-key attack methods to achieve their objectives.

Eight international keynote speakers are heading to SA to join the local experts and share insights with SA's cyber security community. We have Graham Cluley, independent computer security expert and public speaker; Ofir Hason, CEO and co-founder of CyberGym; and Pete Herzog, MD of the Institute for Security and Open Methodologies. To find out more and to register, click here.

So says Monique Becenti, product and channel marketing specialist at SiteLock, and author of the SiteLock 2019 Web Site Security Report.

Using proprietary algorithms and technology, the report analyses more than six million Web sites to determine the most prevalent cyber threats facing Web site owners today. It looks at three primary topics that drive Web site security: attack patterns and risk factors, Web code vulnerabilities, and malware types.

Javascript files dominated files cleaned by SiteLock's malware scanner at a rate of nearly double the next closest category: malicious redirects. "Javascript attacks are different than a backdoor file or a shell file because the intent is to hijack the visitors of the Web site, not to have control over the Web site itself," she explains.

Becenti says because the presence of malicious Javascript files are often invisible to the Web site owner, they are becoming a new favourite tool for cyber crooks.

The report revealed that defacements, or attacks that change the visual appearance of a Web site, continued to drop in popularity, found on only 15% of infected sites and accounting for only 5% of malicious files cleaned in 2018. "One reason for the decrease in defacements can be attributed to cyber criminals leveraging quieter, more symptomless attacks."

Similarly, the report showed search engine optimisation (SEO) spam, a former favourite tool among attackers, made up only 2% of malware cleaned this year and was found on only 18% of infected Web sites, again most likely due to its "noisy" attack nature.

"Attackers are likely moving away from this method because of the attention the attacks draw. The preferred method of malware allows attackers to subtly view, modify, or steal content and data from their victims' Web sites," says Becenti.

Direct attacks

The report showed that subtle methods such as backdoor, shell and filehacker (file modification) were found on more than half of all infected Web sites and accounted for over 10% of files cleaned.

Becenti described this as a "departure from previous attacker behaviour examined in late 2017 and early 2018", which revealed threat actors attempting to compromise Web site visitors through visitor-based attacks.

Cyber criminals are once again looking at strategies to gain control of Web sites by attacking the site directly, as opposed to the site's visitors. However, as Internet users become more educated on how to browse the Web safely, visitor-based attacks will likely continue to decrease.

SEO spam, .htaccess attacks, redirects and other "noisy" attacks will continue to decrease, the report predicts. "The more files an attack kit requires, the more likely it is that either a malware scanner or Web site developer will spot it and remove it. Bad actors will have no choice but to adapt to rising user awareness."

The SiteLock report also highlighted that although predictions pointed to crypto-mining becoming the most pervasive threat of 2018, in reality it plateaued at 2% last year. Between the crypto crash and Bitcoin losing more than half of its value, it's seems likely that threat actors turned their attention to more stable and profitable attack methods.

A mere 15% of malware-infected Web sites were blacklisted in 2018, which is 4% lower from the start of the year to the end. "Many Web site owners assume a search engine will alert them if malware is on their site. However, that is not the case," she says.

"Search engines are using greater caution when blacklisting Web sites to avoid reporting errors at the site owner's expense. When a blacklisting occurs, the consequences can impact a Web site's traffic, reputation, and even profitability."

Becenti says as cyber criminals use stealthier attack methods, search engines will continue to err on the side of caution when blacklisting Web sites, to avoid false-positives.

Threat actors will jump on this bandwagon, and become more cunning, designing malware that slips through search engine scanners. "More than ever, it's crucial to rely on a defined Web site security strategy, rather than a search engine, to discover any potential infections."

Key findings

  • Approximately 1% (0.78%) of Web sites are infected with malware, equating to 17.6 million Web sites worldwide at any given time.
  • Web sites attack attempts per day grew by 59% from January 2018 to December 2018, ending at a peak of 80 attacks per day and averaging 62 attacks per day for the year.
  • Web sites receive 2 354 bot visits per site per week on average.
  • Only 15% of Web sites infected with malware were blacklisted by search engines in 2018, which is a 4% decrease from the start of the year to the end.
  • Cryptojacking plateaued at 2% last year.
Login with