Source: https://www.todhost.com/blog/how-websites-get-hackked-a-2016-2nd-and-3rd-quarter-report.html

The data in this report is based on compromised websites worked on by the Sucuri team, with insights and analysis performed by the Sucuri ncident Response Team (IRT) and Malware Research Team (MRT).

CMS Analysis

The analysis was based on of over 9,000 infected websites. The four open-source Content Management Systems (CMS) we focus on in our report include WordPress (78%), Joomla! (14%), Magento (5%), and Drupal (2%).

Some interesting datasets include that WordPress installations were out-of-date 55% of the time while Joomla! (86%), Drupal (84%), and Magento (96%) continue to lead the way with out-of-date software.

Out of Date CMS Distribution

As WordPress makes up the largest sampling in our environment (78%), we place special emphasis on the top three plugin vulnerabilities contributing to 22% of WordPress site hacks.

Top 3 vulnerable WordPress plugins 2016-Q2

In this report, we also include a new dataset that shows the most popular WordPress and their distribution amongst the sample set. On average, WordPress installations had 12 plugins installed at any given time.

Blacklist Analysis

Looking at the number of websites that were blacklisted. We felt this was an important bit of data to include as the impacts to website owners can be devastating.

Per our data, 18% of the infected websites we analyzed were blacklisted, which means that 82% of the infected websites we worked on were not flagged. The most prominent blacklist was Google Safe Browsing with 52% of blacklisted sites. Here is a more complete distribution of the blacklist APIs we monitored:

Percent of Sites Blacklisted by Google, Norton, Yandex, and McAfee

Malware Analysis

We also focused on understanding what attackers were doing once they successfully hacked a website, specifically the payloads they were using.

Our analysis shows that SEO spam continues to be a go-to for attackers, with a 6% increase over the first quater of 2016. In total, 38% of sites had some form of SEO spam injection. Backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.

Some quick takeaways that you might find interesting:

WordPress continues to lead the infected websites worked on (at 74%), and the top three plugins affecting that platform are still Gravity Forms, TimThumb, and RevSlider.
WordPress saw a 1% decrease in out-of-date core software and infected websites, while Drupal had a 3% increase. Joomla! and Magento website deployments continue to show the most out of date instances of any platform.
New data points show that on average, WordPress installations have 12 plugins, and the report provides a list of the most popular plugins within our set of compromised sites.
New data points were introduced showing what percentage of infected websites were blacklisted. Only 18% were blacklisted, and Google made up 52% of that grouping (or 10% of the total infected sites).
Analyzing the malware families showed that SEO spam continues to be on the rise, increasing to 38% (a 6% increase) and backdoors rose to 71% of compromised sites.


In The 3rd quater of 2016, thefollowing findings obtained on How websites are hacked

The Hacked Website Trend report is a report produced by Sucuri. It summarizes the latest trends by bad actors, identifying the latest tactics, techniques and procedures (TTPs) seen by the Remediation Group (RG). This report will build on the data from the previous quarters, including updated data for 2016/Quater3.

The one constant you’ll find in this report is the issues pertaining to poorly trained website administrators (i.e., webmasters) and their effect on websites.

This report provides trends based on the CMS applications most affected by website compromises, the type of malware families being employed, and updates on the state of website blacklisting. It removes the data pertaining to WordPress plugin configurations.

This report is based on a representative sample of the total number of websites the Sucuri RG performed incident response services on in Calendar Year (CY) 2016 Quarter 3 (CY16-Q3). A total of 7,937 infected websites were analyzed in this report. This sampling was the most accurate representation of the total sites Sucuri worked on in this quarter.

CMS Analysis

Based on our data, similar to 2016 - Q1 / Q2, the three leading CMS platforms were WordPress, Joomla! and Magento. Again, this does not imply these platforms are more or less secure than others.

In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters.

Infection distribution WordPress, Joomla, Drupal, and Magento

The Q3 report shows things were relatively stable across all platforms. The overall changes seemed marginal, with both Joomla! And Magento both experiencing a 1% increase. The modest increase in Magento is not a surprise, taking into consideration the trend this year of attackers shifting their focus to platforms used for online commerce (i.e., e-commerce).

Hacked CMS month WordPress, Joomla, Drupal, and Magento

Outdated CMS Analysis

While the leading cause of infections stemmed from vulnerabilities found in the extensible components of the CMS applications (i.e., extensions, plugins, modules), it’s also important to analyze and understand the state of the CMS’s we worked on.

A CMS was considered out of date if it was not on the latest recommended security version or had not patched the environment with available security updates (as is the case in Magento deployments) at the time Sucuri was engaged to perform incident response services.

The most surprising change this quarter was the 6% increase in out of date, vulnerable versions of WordPress installations at the point of infection. In Q1 / Q2, hacked WordPress sites recorded outdated installations at 56% and 55% respectively.

Drupal also experienced a 2% increase from Q2 to Q3.

Similar to prior quarters, Magento (94%) and Joomla! websites (84%) were mostly out of date and vulnerable at the point of infection.

There was no change in why we believe this is happening. It appears to stem from three areas: highly customized deployments, issues with backward compatibility, and the lack of staff available to assist in the migration within the respective organizations. These tend to create upgrading and patching issues for the organizations that leverage them for their websites through incompatibility issues and potential impacts to the website's availability.

The most concerning aspect of this trend is with the Magento platform, one of the leading platforms for online commerce by large organizations. There is an increase in interest by attackers targeting the platform for its rich data environment, targeting cardholder data (i.e., credit card information, including up to PAN information).

WordPress Analysis

Similar to prior quarters, we provide a deep dive analysis into the WordPress platform as it makes up 74% of our sampling.

The top three WordPress plugins continue to be TimThumb, Revslider, and Gravity Forms:

Top hacked WordPress plugins

These were the top three out of date, vulnerable, plugins at the point in which Sucuri provided incident response services:

Out of date plugins

In Q3 there is an improvement in Revslider, dropping from 10% to 8.5%, and in GravityForms, dropping from 6% to 4%. The total number of infected WordPress installations as a result of these three platforms has dropped significantly this year, from 25% in Q1, to 18% in Q3. The continued decrease is expected as more website owners and hosts continue to proactively patch out of date environments. The most interesting, and possibly disturbing, dataset is the lack of change in TimThumb. We believe this has to do with the fact that many website owners are unaware that they have the script on their site at all, similar to what we see with Revslider.

The data shows, however, that as these get patched, others will begin to take its place. Currently there are no other plugins that are being used in mass that would represent greater than 1% of sampled dataset.

Note: All three plugins had a fix available over a year, with TimThumb going back multiple years (four to be exact, circa 2011). Gravity Forms was patched in version 1.8.20, December 2014 to address the Arbitrary File Upload (AFU) vulnerability that is causing the issues identified in this report. RevSlider was patched silently February 2014, publicly disclosed by Sucuri September 2014, with mass compromises starting (and continuing) since December of 2014. This illustrates the challenges the community faces in making website owners aware of the issues, enabling the website owners to patch the issues, and facilitating the everyday maintenance and administration of websites by their webmasters.

Blacklist Analysis

Website blacklists have the ability to adversely affect website owners, so it’s important to understand how to remove a blacklist warning.

A website being flagged by a blacklist authority like Google can be devastating to website functionality. It can affect how visitors access a website, how it ranks in Search Engine Result Pages (SERP) and also adversely affect communication mediums like email.

Per this analysis, approximately 15% of the infected websites were blacklisted (a 3% drop from 18% in Q2). This indicates that approximately 85% of the thousands of infected websites worked on were freely distributing malware. This highlights the importance of continuous monitoring of your web property beyond traditional means like Google and Bing webmaster tools. It also highlights that blacklist monitoring is not enough to detect whether a site has been compromised.

Website blacklist warning distribution Google, McAfee, Norton

The most prominent blacklist was Google Safe Browsing; it accounted for 69% of the blacklisted sites, which also happens to be 10% of the total infected sites worked on. Norton Safe Web had 24% of the total blacklists and McAfee SiteAdvisor captured 10% of the blacklists. All other blacklists check flagged less than 1% and were removed from the report (including: PhishTank, Spamhaus, and a couple of smaller ones).

Note: The percentage will never be 100% as some sites were flagged by multiple blacklists at the same time.

Malware Families

Part of the research over the past quarter includes analyzing the various infection trends, specifically how they correlate to malware families. Malware families allow for better assessment and understanding of the attackers tactics, techniques and procedures (TTP), which inevitably leads to their intentions.

A hacked site can have multiple files modified with different families of malware in them (a many-to-many relationship). It depends on the attacker's intent (i.e., action on objective) in how they plan to leverage their new asset (ie. the website that is now part of their network).