Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Website Infections Holding Steady at 1%, But Attacks Becoming Stealthier: Report

Only 15% of Malware-Infected Websites Are Blacklisted, Report Finds

Only 15% of Malware-Infected Websites Are Blacklisted, Report Finds

Only 1% of websites are infected with malware at any given time, but this translates to a colossal 17.6 million websites overall, a new report shows. Many visitors, and website owners, rely on their search engine of choice to tell them whether any particular site is infected — but only 15% of infected websites are blacklisted by the search engines.

These figures come from the SiteLock 2019 Website Security Report (PDF). SiteLock sampled 6,056,969 websites, looking at both infections and vulnerabilities. It found that sites with an external-facing vulnerability are 3.3 times more likely to be infected. XSS vulnerabilities are found in 1.44% of sites, and 3% of those contain malware.

SQLi vulnerabilities are found in 6% of sites, and 2% of those have malware. Cross-site request forgery (CSRF) vulnerabilities are present in 1% of sites, and of those, 3% have malware.

Overall, website attacks grew by 59% during 2018, averaging 62 attacks per day over the year from 330 different bots. Despite this, the number of infected websites remained constant at 1% through the year. It suggests that website defenses may be becoming more effective.

Only 15% of malware-infected websites were blacklisted, down 4% from the beginning of 2018 — so websites need to be proactive in monitoring for malware rather than rely on the search engines to do it for them.

Thirty-eight percent of websites are built with WordPress, Joomla or Drupal. Forty-eight percent of all CMS websites use WordPress. SiteLock found that keeping up-to-date with the core software isn’t enough to guarantee security in CMS websites. For example, it found that of those sites using the latest CMS cores, 34% of Drupal sites, 9% of Joomla and 4% of WordPress sites still had a vulnerability. Many of these vulnerabilities are found in the themes and plugins used to enhance or tailor the sites.

The most common categories of malware found on websites are backdoors, shells and JavaScript files. JavaScript files differ from backdoors and shells because their primary intent is to hijack visitors rather than take control of the website. JavaScript infections are increasingly popular with criminals because they tend to be symptomless to the website owner, generating little ‘noise’.

Defacement continue to fall in popularity, found on only 15% of infected sites. SEO spam is also falling, accounting for only 2% of the malware cleaned, and on only 18% of infected websites. SiteLock believes that attackers are moving to stealthier attacks, and SEO spam is by its nature, very noisy.

Stealthier attacks are higher. These include backdoors, shell and file modification — which were found on 50% of all infected websites.

Crypto-related malware is falling, and SiteLock believes that it will continue to decrease. Verizon’s 2019 DBIR also noted the failure in the expected growth of cryptomining over 2018, but did not offer an explanation (its head of security research, Alex Pinto, told SecurityWeek that any correlation between the price of, say bitcoin, and the prevalence of cryptomining could make a study for the future). 

SiteLock is less reserved: “With the crash of Bitcoin, the closing of cryptomining service Coinhive, and reduction of value on other currencies, bad actors have less motivation to leverage this strategy.” The implication from SiteLock is that if cryptocurrencies increase in value again, as they did dramatically at the end of 2017, then cryptomining could return.

SiteLock detected a decline in ‘noisy’ attacks against websites. “The more files an attack kit requires,” it said, “the more likely it is that either a malware scanner or website developer will spot it and remove it.” But while noisy attacks are decreasing, stealthy attacks are increasing. More and more, search engines appear to be erring on the side of caution when blacklisting websites for fear of false positives (the number of blacklisted sites declined by 4% over the year). The attackers are taking advantage of this by becoming stealthier, making it harder for the search engine scanners to detect with sufficient certainty to trigger the blacklist.

Related: 18.5 Million Websites Infected With Malware at Any Time 

Related: NIST Small Business Cybersecurity Act Becomes Law 

Related: Website Attacks Surge: Report 

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...