SEO Spam Dominated Website Infections in 2019: Report

Last year, SEO spam was the most frequently observed threat on compromised websites, according to a new report from GoDaddy-owned web security company Sucuri.

Nearly two-thirds of infected websites had a form of SEO spam present, with database spam being the most prevalent form of infection. At least one form of backdoor was found on 47% of the compromised websites, providing attackers with persistent access to the infected environment.

During 2019, 60% of websites were vulnerable at the point of infection, marking an increase of 4% compared to the previous year and indicating that patches are not installed in a timely manner. Over 56% of all CMS applications were found to be outdated, Sucuri’s 2019 Website Threat Research Report (PDF) shows.

Attacks involving credit card stealers and e-commerce sites went up last year, and Sucuri says it removed over 1,700 client-side and 600 server-side stealers from infected websites.

The report also reveals that vulnerable third-party components and software defects were the primary infection vector last year. Sucuri discovered that 44% of vulnerable websites had more than one vulnerable piece of software, with 10% of them having at least four vulnerable components.

One of the most common vectors was the improper implementation of the function update_option(), which is used to update any entry in the options database table. Attackers can target the weakness to gain admin access or inject arbitrary data into the site.

A total of 54 plugins were found affected by the update_option() function vulnerability in 2019, five of them with more than 100,000 installations each: Wp File Manager (500,000 installations), Easy WP SMTP (400,000), Fremius Library (200,000), Newspaper and other old tagDiv themes (100,000), and WordPress GDPR Compliance (100,000).

Last year, the Sucuri Firewall mitigated over 170 million attack attempts — a 52% increase from the previous year — with bad bots (15.8% of attacks), comment spam (6.8%), and virtual patching for known vulnerabilities (11.4%) being the most common types of incidents and malicious behavior observed.

There were only 9 new crypto-miner domains blacklisted in 2019, significantly fewer than 2018, when 100 such domains suffered the same fate. The change is likely the effect of lower crypto-currency prices and the shutdown of CoinHive during the first quarter of 2019.

Sites infected with SEO spam and generic malware experienced the largest rate of re-infections. According to the report, 20% of infected Magento websites had been re-infected with credit card skimmers, underlining the importance of adopting strong post-hack protection following cleanup.

WordPress was the most popular content management system (CMS) out there, with an estimated 62% market share and accounting for 94.23% of Sucuri’s clients in 2019.

According to the website security company, 49% of WordPress installations were outdated at the point of infection last year, a much lower percentage when compared to Joomla (90%), Magento (87%), and Drupal (77%).

As of December 2019, over two-thirds of the websites that used PHP ran a version that had already reached end-of-life (EOL) status. Last year, 54.13% of websites using PHP had PHP 5.x, 6.6% had PHP 7.0, and 8.7% had PHP 7.1, which reached EOL status on December 1, 2019.

Related: Website Infections Holding Steady at 1%, But Attacks Becoming Stealthier: Report

Related: Encrypted Threats, IoT Malware Surge Past 2018 Levels: Report