Only 15% of Malware-Infected Websites Are Blacklisted, Report Finds
Only 1% of websites are infected with malware at any given time, but this translates to a colossal 17.6 million websites overall, a new report shows. Many visitors, and website owners, rely on their search engine of choice to tell them whether any particular site is infected — but only 15% of infected websites are blacklisted by the search engines.
These figures come from the SiteLock 2019 Website Security Report (PDF). SiteLock sampled 6,056,969 websites, looking at both infections and vulnerabilities. It found that sites with an external-facing vulnerability are 3.3 times more likely to be infected. XSS vulnerabilities are found in 1.44% of sites, and 3% of those contain malware.
SQLi vulnerabilities are found in 6% of sites, and 2% of those have malware. Cross-site request forgery (CSRF) vulnerabilities are present in 1% of sites, and of those, 3% have malware.
Overall, website attacks grew by 59% during 2018, averaging 62 attacks per day over the year from 330 different bots. Despite this, the number of infected websites remained constant at 1% through the year. It suggests that website defenses may be becoming more effective.
Only 15% of malware-infected websites were blacklisted, down 4% from the beginning of 2018 — so websites need to be proactive in monitoring for malware rather than rely on the search engines to do it for them.
Thirty-eight percent of websites are built with WordPress, Joomla or Drupal. Forty-eight percent of all CMS websites use WordPress. SiteLock found that keeping up-to-date with the core software isn’t enough to guarantee security in CMS websites. For example, it found that of those sites using the latest CMS cores, 34% of Drupal sites, 9% of Joomla and 4% of WordPress sites still had a vulnerability. Many of these vulnerabilities are found in the themes and plugins used to enhance or tailor the sites.
The most common categories of malware found on websites are backdoors, shells and JavaScript files. JavaScript files differ from backdoors and shells because their primary intent is to hijack visitors rather than take control of the website. JavaScript infections are increasingly popular with criminals because they tend to be symptomless to the website owner, generating little ‘noise’.
Defacement continue to fall in popularity, found on only 15% of infected sites. SEO spam is also falling, accounting for only 2% of the malware cleaned, and on only 18% of infected websites. SiteLock believes that attackers are moving to stealthier attacks, and SEO spam is by its nature, very noisy.
Stealthier attacks are higher. These include backdoors, shell and file modification — which were found on 50% of all infected websites.
Crypto-related malware is falling, and SiteLock believes that it will continue to decrease. Verizon’s 2019 DBIR also noted the failure in the expected growth of cryptomining over 2018, but did not offer an explanation (its head of security research, Alex Pinto, told SecurityWeek that any correlation between the price of, say bitcoin, and the prevalence of cryptomining could make a study for the future).
SiteLock is less reserved: “With the crash of Bitcoin, the closing of cryptomining service Coinhive, and reduction of value on other currencies, bad actors have less motivation to leverage this strategy.” The implication from SiteLock is that if cryptocurrencies increase in value again, as they did dramatically at the end of 2017, then cryptomining could return.
SiteLock detected a decline in ‘noisy’ attacks against websites. “The more files an attack kit requires,” it said, “the more likely it is that either a malware scanner or website developer will spot it and remove it.” But while noisy attacks are decreasing, stealthy attacks are increasing. More and more, search engines appear to be erring on the side of caution when blacklisting websites for fear of false positives (the number of blacklisted sites declined by 4% over the year). The attackers are taking advantage of this by becoming stealthier, making it harder for the search engine scanners to detect with sufficient certainty to trigger the blacklist.
Related: 18.5 Million Websites Infected With Malware at Any Time
Related: NIST Small Business Cybersecurity Act Becomes Law
Related: Website Attacks Surge: Report
Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress