Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

18.5 Million Websites Infected With Malware at Any Time

There are more than 1.86 billion websites on the internet. Around 1% of these — something like 18,500,000 — are infected with malware at a given time each week; while the average website is attacked 44 times every day.

There are more than 1.86 billion websites on the internet. Around 1% of these — something like 18,500,000 — are infected with malware at a given time each week; while the average website is attacked 44 times every day.

Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock’s malware scanners, while a smaller subset also use the firm’s cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.

The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. “We went from about 0.8% of our user base in Q3 to a little over 1% in Q4,” Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.

Despite the increase in infected sites, continued Ortega, “The total number of attacks or attempted attacks actually decreased by about 20% — so what we’re seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through.”

The majority of Sitelock’s customers are typically small businesses and blogs. “Many website owners remain unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they’ve been compromised,” said Ortega. This doesn’t work — less than 1 in 5 infected websites are blacklisted by the search engines.

Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of WordPress sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised. 

It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, Sitelock cleaned an average of 672,655 malicious files every week. It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.

Jessica Ortega, research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files. Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.

One of the problems is that the average website is very easy to compromise. Sitelock’s analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities. 

Even CSM security updates can be used against the website if they are not immediately installed. “Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those vulnerabilities. They then scan the internet for, for example, WordPress sites that haven’t yet been updated, and compromise them.”

Understanding the attackers’ motives is key to understanding the threat to small business websites. “A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don’t even realize they need security,” explains Ortega. One of the primary motivations is to improve the search engine rankings of the attackers’ own customers, by inserting backlinks to the customer website.

“Or they use it to attack the website’s visitors — for example, by phishing credentials,” she continued; “and obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal. Or they’re just trying to further spread their malware to visitors via exploit kits.”

Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited; but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement — those who do it because they can, and then boast about it. 

Sixteen percent of infected sites were subsequently defaced, often with a political or religious message, often by such skiddies.

Related: FBI Pushes for Small Business Information Sharing 

Related: Senate Passes MAIN STREET Cybersecurity Act for Small Business

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.