2021 Website Threat Research Report
An analysis of the latest trends in malware and hacked websites detected (or remediated) by Sucuri.
Our Website Threat Research Report details our findings and analysis of emerging and ongoing trends and threats in the website security landscape. This is a collection of the observations made by Sucuri’s Research and Remediation experts of data collected on web-based malware, vulnerable software, and attacks during 2021.
Our 2021 Website Threat Research Report details our findings and analysis of emerging and ongoing trends and threats in the website security landscape. We’ve put together this analysis to help keep website owners informed and aware of the dangers posed by malicious actors. This is a collection of the observations made by Sucuri’s Research and Remediation experts of data collected on web-based malware, vulnerable software, and attacks during 2021.
We examined our data sets to identify the most common types of infections and threats facing our clients websites. What our data revealed was that, not unlike in previous years, website backdoors were linked to a large majority of compromised environments with 60.04% of websites containing at least one backdoor at the time of cleanup. SEO spam also remained one of the most common types of infections, with 52.6% of compromised websites containing spam malware at the time of cleanup.
Our research team continued to track the years-long campaign of website redirects to spam/scam websites through the exploitation of vulnerable plugins. As seen in past years, this campaign continued to burden website owners — in 2021 alone, over 65,000 websites scanned by SiteCheck were found to be infected with variations attributed to this campaign targeting vulnerable WordPress components.
A number of new trends also emerged, mostly related to credit card skimming attacks on ecommerce websites. The number of credit card theft infections rose significantly in 2021. 503 domains were added to our blocklist for skimming attacks, the largest number to date. We also saw a dramatic increase in the number of credit card skimming signatures produced by our research team, 41.1% of which belonged to PHP backend credit card skimmer infections.
WooCommerce plugin users became increasingly targeted due to its large footprint in the ecommerce landscape. Roughly one out of every three websites with a detected credit card skimmer were running WordPress. Malicious payloads are often specifically crafted for the victim’s website to give the attack the best chances. Mid-market level websites remain the biggest targets for those threat actors.
Key Takeaways for 2021
Vulnerable plugins and extensions account for far more website compromises than out-of-date, core CMS files.
- Roughly half of our clients’ websites contained an up-to-date CMS at the point of infection, suggesting that vulnerable plugins/themes/extensions play an equal or larger role in terms of risk.
- Websites containing a recently vulnerable plugin or other extension are most likely to be caught up in malware campaigns.
- Even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it.
Default configurations of popular website software applications remain a serious liability.
- By default, WordPress administrator panels contain no multi-factor authentication, nor a limit on failed login attempts.
- The use of security plugins remains a prerequisite to properly secure the most popular CMS platform on the web (WordPress).
- Poor default configurations in cPanel and WHM are a common issue.
Credit card skimming is on the rise, especially for WordPress.
- Hacker groups are actively developing and customizing their malware. Each variation is distributed to a small number of sites, but the overall number of affected sites is significant.
- Unlike most compromises we see, skimming attacks are more often targeted rather than opportunistic.
- Credit card skimmers are becoming more common in exploit kits affecting WordPress websites.
SEO spam continues to be a menace.
- 52.6% of remediated websites contained some form of SEO spam in 2021. Spam also accounted for 34.45% of infected SiteCheck detections.
- Pharmaceutical content continues to be one of the leading themes for SEO spam because of the immediate gain and broad target.
Backdoors and malicious admin users remain the backbone of many compromises.
- Backdoors were the most common type of infection found, with 60.04% of infected environments containing at least one website backdoor.
- The most common types of backdoors were uploaders and webshells. Together, they comprised nearly half of all new backdoors found in 2021.
- Compromised websites that did not have a detected backdoor at the time of cleanup often contained a malicious admin user instead.
Website reinfections remain common.
- A website compromise can be a miserable experience. Website owners are often averse to taking all the necessary post-infection steps, but if measures aren’t taken the attackers are likely to return.
- Updating vulnerable software and securing admin panels remains top priority for those facing a compromise.
Malware tends to focus on either quality or quantity.
- Malware that redirects visitors to spam/scam pages (as seen in siteurl/homeurl infections) exploits vulnerable plugins and themes. Their goal is to compromise as many websites as possible, in the shortest time period possible, to affect as many users as possible. They do not care about staying hidden.
- Malware that compromises credit card details is the opposite: They try to have a small, very well hidden payload to stay present as long as possible in order to steal as many card numbers as they can.
- Based on the number of signatures for credit card skimmers generated, we can conclude that the attackers are spending much more time customizing their payloads for credit card theft to avoid detection and target specific websites.
Cryptomining attacks are no longer very common.
- Previously considered a prevalent attack, cryptomining malware is now fairly uncommon.
- Cryptomining has largely moved away from website and server environments, focusing instead on dedicated hardware “farms”.
Responsible disclosure and proactive security monitoring is key to maintaining a safe web.
- Some major catastrophes were avoided in 2021. Major plugins with millions of installations had vulnerabilities patched with very few incidents, due to proactive security monitoring, patching, and exceptional communication with the public.
- Vulnerable plugins and extensions that were abandoned by their authors proved to be some of the most severe and persistent attack vectors.
- Website administrators using automatic plugin updates were among those with the lowest risk.
The data used in this report is a representative sample of the total number of websites that our Remediation team performed services for throughout the year 2021. This includes 46,517 websites cleaned by our incident response team and more than 132 million SiteCheck scans.
This report is our attempt to compile the data from our incident response and Research teams and reflect the ongoing trends in the threat landscape affecting everyday website owners, particularly for popular CMS platforms such as WordPress, Joomla, Drupal and Magento.
This data reflects the environments of our clients and not the web as a whole. Our analysis does not look to measure the effectiveness of existing security controls, including hardening or web application firewalls.
Based on our data, the following graph illustrates the usage of different CMS platforms among our client base.
These data sets indicate that WordPress continues to be the most popular CMS among our user base, accounting for 95.62% of clients in 2021. As seen in past years, Joomla (2.03%) followed in second place with Drupal (0.82%) taking third.
Vulnerable Software & Components
Attackers often create automated scripts to scan the web for any sites containing known software vulnerabilities, and these vulnerabilities are one of the leading causes for website infections. When a target is identified, the exploit delivers its payload to obtain unauthorized access to the compromised environment where the attacker is then able to deploy other tools depending on available resources.
In this section, we analyze outdated and vulnerable website software and third party components seen during remediation in 2021.
The percentage of websites that had an out-of-date CMS at the time of infection was roughly equal.
Our data suggests that out-of-date CMS only roughly correlates to infection, and points to the usage of vulnerable plugins and themes as well as unsecured admin panels to be of greater importance in terms of security risk.
The presence of out-of-date CMS may not necessarily be the attack vector itself but rather a symptom of a lack of maintenance of the environment.
Out-of-date CMS Distribution
Out of all of the websites submitted for malware cleanup, WordPress and ModX were by far the most well maintained.
Percentage of identified out of date websites submitted for malware removal
Platforms such as vBulletin, PrestaShop, and Typo3 had a 100% out-of-date rate, with OSCommerce and OpenCart not far behind. It is likely that many of these websites became our clients only after they were compromised.
Both Joomla and Magento have different branch versions, and updating them is not as simple as a single-click update found in environments like WordPress. This may explain why they’re lagging behind in patches. Magento 1 reached end of life in 2020 but many site administrators are stuck and unable to upgrade for various reasons.
Keeping your website up to date and ensuring that all plugin, theme and core CMS patches are installed is the single best thing you can do to avoid a website compromise. Protecting your admin panel and using robust passwords will also help prevent unauthorized access to your environment.
Vulnerable Components & Themes
The following chart illustrates the top ten most commonly identified vulnerable software components present at the time of infection, and is calculated based on the percentage of all vulnerable plugins identified within our data.
This data does not necessarily indicate that these plugins were the attack vector, but they did contribute to an overall insecure environment.
These top ten vulnerable components make up over three quarters of all identified vulnerable plugin components. Amazingly, TimThumb is the second most common, despite the vulnerability being over a decade old!
Usage of vulnerable software components such as plugins and themes remains one of the top two causes of website infection — the other being the usage of weak passwords, especially those used for unprotected admin panels.
Many thanks to all the security researchers across the web who worked hard to identify vulnerable components and help make the web a safer place for everyone.
Out-of-date PHP Versions
The share of our clients using PHP 7.X or higher topped 60% — the first time we’ve recorded a majority of users in the 7.X branch. Over a quarter of environments are still using deprecated versions of 5.X.
Many website owners still use deprecated versions of PHP because their custom code, themes, or plugins are incompatible with newer versions — or they are simply unwilling or unable to update. Many websites are also dependent on their hosting provider to provide PHP backend updates and may have little to no control over their PHP version. What this ultimately means is that well nearly two thirds of these websites are using PHP versions that have reached EOL, are not receiving regular security updates, and may be vulnerable.
Over two thirds of environments are still using deprecated versions of PHP, exposing these sites to unpatched security vulnerabilities.
Top 10 Most Severe 2021 WordPress Vulnerabilities by Usage
We analyzed our cleanup and detection scripts to identify the top ten most vulnerable software components ranked by number of installations for 2021.
Despite the sheer volume of users impacted, some of these software vulnerabilities were handled very well and impact was minimized. WooCommerce and All In One SEO have millions of installations, but due to prompt response and responsible disclosure the issues were patched before any major issues or mass-infections occurred. Website owners who employ auto-updates for plugin components were the most well protected, along with those employing a Web Application Firewall (WAF) to block attack attempts.
Keeping website software and third-party components up-to-date with the latest security patches is the single most important thing you can do to stay on top of emerging vulnerabilities. If you are unable to make timely updates, a website firewall can provide virtual patching and hardening against known threats.
The Log4J vulnerability was easily one of the most serious vulnerabilities affecting a large majority of the web in 2021.
This critical server vulnerability impacted any website, application, or hardware device using the software. Server administrators all over the world scrambled to identify and patch affected or potentially vulnerable systems before the attackers were able to compromise them.
The number of compromised systems due to Log4J will never be known, but the impact was massive. It will likely persist in the threat landscape for years to come.
Top 10 2021 WordPress Vulnerabilities by CVSS Score
To reveal the most severe WordPress vulnerabilities, we organized the top ten in order of CVSS rating.
* – Indicates the component was abandoned and no patched version exists. The extension must be fully removed and replaced by the website administrator.
Certain plugins such as Kaswara and Store Locator Plus were abandoned by their plugin authors and posed a major nuisance for website owners.
For example, users leveraging the Kaswara Page Builder had to design their entire website around the plugin. Since removing the plugin would render the website unusable, the only option for clients would be to rebuild their entire website from scratch or use a firewall to block the exploits.
Even with the overall low number of installations, these two abandoned plugins played a disproportionate nuisance in terms of compromised websites, particularly reinfections.
Our analysis and investigations are a key component in the development of our cleanup rules and signatures. These pieces of code provide our tools with the information necessary to identify and mitigate a variety of website threats including SEO spam, phishing, hidden backdoors, hacktools and other malware.
Top Detected Malware
To identify the most common malware types seen on compromised websites in 2021, our team aggregated and analyzed the data from malware signatures detected and cleaned during Incident Response.
Why is there a percentage overlap?
Our teams regularly find multiple types of malware on a compromised website. For example, attackers might infect a website with spam and plant a website backdoor on a website to maintain access to the environment.
In 2021, 61.65% of remediated websites were flagged with the malware category. Malware is a very broad category which often includes code designed to redirect website visitors to scam and other malicious websites or steal login credentials. It typically engages in some type of malicious action against site visitors, in contrast to backdoors and hack tools that facilitate hacker activities or spam that aims to increase SEO rankings to third party sites.
The most common type of malware that we deal with other than backdoors is PHP malware. PHP is the backbone of most of the web, with most CMS platforms (including WordPress) written primarily in it.
One of the most prevalent infections that persisted through 2021 were siteurl/home URL infections.
The attack is very simple: two database entries within the wp_options table are modified, and the legitimate domain is replaced with a malicious or spammy domain. All traffic to the website gets redirected to a domain of the attacker’s choosing.
An example website affected by a siteurl/homeurl infection
Quite a few vulnerable plugins were used to inject this malware throughout the year, most of them belonging to the open source WordPress repository.
Another fairly common tactic that we saw throughout 2021 was the use of malware spawning malicious processes which immediately reinfect the website files. This typically affects the ./index.php file as well as the primary .htaccess file in the web root.
It overrides the file permissions and forcibly changes them to 444, preventing modifications to the files.
The process persists on the server and will respawn itself if the payload infection is not cleaned quickly enough. The infected files spawn the process, and the process reinfects the files. This is also frequently coupled with .htaccess malware.
The Rise and Fall of Cryptominer Malware
We first identified that cryptomining malware was decreasing in popularity back in our 2019 threat report. 9 domains were added to our blocklist that year — in comparison, we added only 1 in 2021.
A total of 4132 detections for cryptomining infections were found in the last year, less than 4% of our total detections. This is up from roughly 2.6% the previous year, but it still plays a largely minor role in the overall detected malware landscape.
Cryptomining malware appears to have been eclipsed by more dedicated “farm” type operations utilizing networks of powerful GPUs.
Credit Card Skimming Malware
2021 saw a dramatic increase in the number of credit card skimming signatures produced by our research team, 41.1% of which belonged to PHP backend credit card skimmer infections.
Our analysis also revealed a growing number of credit card theft occurring on independent websites where the store has set up their own ecommerce website.
We saw a lift in skimmer infections during the latter part of the year which appeared to be built into common exploit kits and merely acted as a component part of a broader website compromise.
Skimmers (mis)Using Google Tag Manager
These skimmers are often only detectable by manually inspecting network traffic loading on the checkout page, or by reviewing the GTM tag identifiers and comparing them to the known-legitimate GTM tags used on the website. Sometimes hackers will also compromise Google accounts and modify otherwise legitimate scripts in the tag manager to insert their malware.
Emerging PHP Malware
A large number of new file cleanup signatures were produced specifically for PHP malware in 2021.
One very interesting point in this data is the hugely disproportionate number of signatures we created in 2021 for credit card stealers impacting Magento, WordPress, and other ecommerce platforms like OpenCart. Magento makes up only less than 1% of our total malware cleanups, but over 10 times that amount of new malware cleanup signatures (although some affect WordPress as well).
This data may suggest a few things:
- Attackers spend more time crafting new malware for ecommerce environments.
- Attackers have more to gain financially from credit card skimmers than other types of infections.
- The longer their malware is able to remain hidden, the more they stand to gain, encouraging them to craft new methods of obfuscation and evasion.
Stolen credit card data is often sold on the illegal market and its value is determined by whether the data is valid or not. If the attacker has obtained the credit card info from somewhere other than a compromised ecommerce website, they need to verify that the data is valid and usable.
This is the reason why many banks across the world immediately raise a red-flag if a $1 purchase is made especially when it’s at odd hours. This often represents that someone is testing that specific credit card somewhere to check if it’s actually valid and works. The other side of this coin is if you own an ecommerce website and suddenly you see many people suddenly buying something for 1$, it may indicate that someone is testing credit cards on your website and this may bring on other issues down the line.
Attackers commonly test a large amount of cards in a short amount of time, so for this, they usually pick a website with no rate-limiting or any form of captcha so that they can automate this testing.
Backdoors were one of the most common threats found on compromised websites in 2021, with 60.04% of all infected sites containing at least one backdoor.
An important tool for attackers, our analysts typically find backdoors alongside many other types of malware. This malware bypasses regular access channels, granting attackers full access to the website backend. Once installed, a backdoor can be used to maintain access to the compromised environment long after the infection has occurred, making it easy for the attacker to reinfect the site after the payload is removed.
We analyzed the different types of backdoors we detected and cleaned in 2021 and found the following distribution.
Uploader: A type of backdoor which allows the attackers to upload files to the victim environment. Unlike legitimate files with upload functionality, malicious uploaders do not contain any restrictions on file extension type. These allow the attackers to upload any file of their choice, and will often follow up with a full blown webshell to take over the environment.
Webshell: These backdoors allow the attackers full access to the website file system. They tend to have tremendous functionality and often give the attackers a full diagnostic of the environment (server operating system, php version, etc). They allow the attackers to change permissions of files and traverse into adjacent websites/directories depending on the environment.
RCE: These backdoors allow any attacker who knows the correct parameters to send requests to the victim website. The backdoor will attempt to execute the command issued by the attackers. They can work through a variety of different types of requests such as POST, GET, or even COOKIEs.
Compromised websites that did not have a detected backdoor at the time of cleanup often contained a malicious admin user instead.
In 2021, our Research team wrote over 400 new signatures for new, previously undetected backdoors. They came in a multitude of flavors and utilized a wide variety of functions and techniques, but the one thing they all had in common was their single purpose: to maintain access to compromised environments so they can propagate their payload or reinfect at a later date.
By far the two most common types of backdoors that we generated new signatures for were uploaders and webshells. Together, they comprised nearly half of all new backdoors found during the course of 2021.
A malicious file uploader script
As the name implies, this malicious code allows attackers who have the correct path and parameters to upload malicious files to the website. These can be leveraged to drop hacktools, webshells, or spam to the compromised environment.
A fully functional malicious webshell
This webshell serves as a dashboard interface to the website filesystem, essentially allowing the attacker to perform functions like editing, archiving, copying, or changing file permissions.
Tips to Mitigate Threat from Backdoors:
SEO spam still remains one of the most common website compromises, with 52.6% of remediated websites containing SEO spam. Infections typically occur via PHP, database injections, or .htaccess redirects.
SEO attacks often infect websites with redirects and spam, referring site visitors to spam landing pages. These attacks can significantly impact rankings and organic traffic from popular search engines like Google, Bing, and Yahoo who block websites with malicious content.
Our analysis revealed that 33.3% of SEO spam infections were spam doorways, which produce subsections of dynamic spam content on a compromised website. Another 32.2% of SEO spam infections were related to spam injectors, responsible for peppering a compromised environment with hidden spam links for SEO purposes.
Common Spam Content
Unsurprisingly, our analysis revealed that the most common SEO spam themes and keywords on compromised websites included pharmaceuticals like Viagra and Cialis.
Top Spam Themes:
- Essay writing services
- Knockoff jerseys and other brand name products
- Escort services
- Adult websites
- Online casinos
- Replica watches
- Pirated software
While a major nuisance, SEO spam infections are considered less severe than other malware variants like credit card stealers and malicious redirects to domains serving trojans and ransomware. Nevertheless, they are harmful to victim website’s reputations and SEO scores.
Left untreated, SEO spam can seriously damage a website’s reputation and take a significant time to recover. Website owners may experience a loss in revenue, hijacked search results, browser warnings, or even blocklisting.
Our remediation team handled spam post infections regularly over the course of 2021.
The infection is quite simple:
- The attackers brute force their way into a wp-admin panel.
- The compromised account is used to automatically post spam, usually for essay writing services but also themes like online casinos, bootlegged software programs and pharmaceuticals.
- The spam posts are displayed on the website’s blog or news page.
These posts frequently number in the thousands, and it can be time consuming to remove all of them. The spam is most frequently related to essay writing services, but can also include other typical spam content like pharma and online casinos.
These infections are a nuisance more than anything, but can contribute to a damaged SEO score for the compromised website.
In 2021, 20.27% of remediated websites contained a hacktool. This malware category is used to identify spam mailer mass defacement tools, botnet scripts, and DDoS attack tools.
Some other common hacktools include configuration stealers, which read addresses of database servers in shared hosting environments, data from CMS configuration files, and configuration stealers designed to read consider files to steal credentials.
One of the most commonly identified website hack kits was none other than AnonymousFox. It is a pre-built kit jam-packed with any and all functionality one would need to hack a website and its environment. It takes advantage of insecure default configurations in the most popular website administration tools like cPanel and WHM, and attempts to exploit any other vulnerabilities that it can identify within the environment. Once a foothold is established, it automates the remainder of the exploitation and malware deployment process.
These infections are most commonly associated with phishing payloads as well as spam and redirects to scam/malware sites.
For websites dealing with an infected site related to AnonymousFox, we’ve put together a handy guide with step-by-step instructions to help you clean up an AnonymousFox hack.
The second most commonly detected hacktool is actually the legitimate database administration tool “Adminer”, however we have seen it frequently used as an attack vector in the wild. The adminer tool itself doesn’t cause harm, however any attacker with database credentials can leverage the tool to inject malicious content into the database or posts, essentially offering a gateway into the website’s database.
Hacktools include a broad variety of malicious scripts related to mailers, webshells, droppers, spam tools and more. These tools are used to pilfer login details, bypass authentication, administer files or databases, hide malicious admin users from view, or drop payloads into their respective environments.
Phishing has become more prevalent in recent years, with 7.39% of websites containing some form of phishing in 2021.
Although it’s not uncommon for malicious domains to be set up to host phishing (or subdomains of otherwise legitimate websites, from compromised cPanel accounts or even compromised WHM areas) by and large what we see are legitimate websites hacked to host phishing content. This distances the attacker from their payload and allows them to avoid culpability and lower their costs.
Phishing tends to target login credentials for cloud services such as Microsoft Office and Adobe, as well as financial institutions and popular services such as Netflix. Stolen passwords are also used in credential stuffing attacks.
Our analysis of remediated websites showed some interesting patterns, namely that a great deal of these infections leverage pre-built, generic phishing kits used by attackers. Most of these phishing payloads all contain the same component parts. Specific companies and targets are added afterwards to the same basic functionality across most of these phishing infections.
The majority of phishing were payloads (phishing landing pages) targeting a wide variety of companies and services. A large portion of attackers used ready-made, pre-built phishing kits and installed them onto their targets.
These phishing kits contain many of the exact same files, with much of the detected phishing considered “generic” and could be phishing for any number of different credential types. This is because these phishing kits are sold/shared as an actual kit that includes various functionality and the ability to phish a large number of targets and the attacker can choose what to activate or not.
These kits contain some key component parts:
- A payload landing page
- A mailer script to either send the compromised data to the attackers or to send out phishing emails to victims
- Code designed to prevent search engines from indexing the payload
Besides the generic phishing content, the most commonly targeted credentials are for Microsoft, Netflix, and banking details. The rest were either component backend scripts, mailers to relay the compromised details back to the attackers, or redirect files landing the victim at a third party phishing website.
Emerging Phishing Campaigns
Our research team generated well over 100 new signatures for new phishing infections caught in the wild.
The majority were payloads (phishing landing pages) targeting a wide variety of companies and services. The rest were either component backend scripts, mailers to relay the compromised details back to the attackers, or redirect files landing the victim at a third party phishing website.
Our analysis found a variety of notable services and companies were targeted in the past year, including:
- Microsoft / OneDrive
- Various financial institutions
- Various credit card companies
- Luno (cryptocurrency)
- GMail and other mail providers
Hackers are sometimes motivated by political or religious reasons — or simply vandalize a website for hooliganism. Website vandalism triggers our defacement rules and was seen in 6.63% of compromised environments.
2021 saw an increase in the number of fake “ransomware” found on hacked sites — a type of site defacement claiming that the files have been encrypted and demanding a ransom, despite the fact that no such encryption exists.
Attackers took advantage of several vulnerable plugins which allowed them arbitrary file upload capabilities and admin access to victim dashboards. Rather than properly encrypting the files, they simply placed a defacement-like message on the home page, and unpublished the wp_posts data, making it seem like it was no longer accessible on the website.
In previous years, we did see a brief stint of proper ransomware on website files, but it was very short lived and not likely very profitable for attackers who prefer to go after larger organizations and endpoint devices rather than websites.
Top Cleanup Signatures
Now that we’ve reviewed the malware family distribution, we can dig into some of the prevalent malware we encountered during site remediation in 2021.
Our analysis revealed that the most common cleanup signature belonged to the prolific backdoor rex.multi_vars.004, impacting 22.56% of websites we cleaned in 2021.
This malware is a chaotic mess of randomly named variables using dictionary words, and it seems that no two multi_vars files are identical. It functions as a remote code execution backdoor and attackers tend to place quite a few of them in a compromised environment, typically in the root directory of the website but sometimes elsewhere as well.
This is one of the single oldest types of malware ever identified since Sucuri was founded in 2010.
A fairly generic signature, image.base64_block.001 is identified with a base64 encoded payload (usually spam) that is lodged into an image file. It is called upon by other aspects of the malware and used as a component part in a broader infection which delivers unwanted spam content into the website’s structure.
This spam payload is most often found in conjunction with rex.multi_vars.004, its coupled backdoor. It consists of a number of randomly named variables along with a large chunk of base64 encoded data, which is a spam payload that delivers spam content only to search engines.
The third component part to the rex.multi_vars.004/php.spam-seo.doorway-gen.087 infection, this simple modification to the primary .htaccess file in the root directory instructs the website to deliver the spam in the payload file to all search engine requests as well as visitors to the website who are referred to it from a search engine. Everything operates and appears normally to site visitors, but search engine results are littered with cheap, knockoff pharmaceutical advertisements and other spam.
This signature is a heavily obfuscated remote execution backdoor. It consists of a number of arrays and randomly named variables.
This is a very generic signature which identifies any PHP code lodged within an image file type (.jpg, .png, or .gif).
Developers sometimes take shortcuts when writing their code, or assume that no one will abuse their codebase. As a result, it’s not unusual to see plugins that don’t contain proper controls to validate uploaded file-types — especially plugins responsible for managing photo galleries.
Attackers will often abuse these upload functionalities on websites that allow file uploads. For security reasons, websites typically only allow certain file extensions to be uploaded, but by prepending image headers into files that contain executable code, they are able to circumvent validation checks and insert their payload into a victim’s website.
Whether or not they can actually execute that payload after the fact depends on the particular configuration of the website.
This was the most commonly identified file-based website redirect malware in 2021. The malware appends itself into the top of many files in the website structure and includes a number of bogus .ico files injected by the attackers. The .ico files themselves are heavily encoded and contain payloads which redirect visitors to the website to spam, scam and malware domains.
This is a pretty standard textbook backdoor uploader file. Once it is lodged within the file system, it allows the attackers to upload arbitrary files, including webshells, phishing kits and anything else they would find useful.
This is a backdoor uploader script related to the Anonfox malware kit. In addition to allowing backdoor and file system access to the attackers, it also includes built-in functionality to disable the popular WordPress security plugin WordFence.
This is the component backdoor often coupled with the php.malware.include.043 redirect infection. It is a very large and heavily obfuscated remote execution backdoor. It contains many randomly named variables. In an attempt to conceal itself from humans manually inspecting the file in a text editor, it also contains a very large blank space at the beginning of the injection – however, this only hides the contents if word wrap is disabled.
Incident Response & Threat Detection
In 2021, we cleaned an average of 295 infected files per site during a single malware removal request. This is the highest average of files cleaned per site to date, breaking a previous record from 2018 of 292 files.
Setting a new record, our analysts remediated a single contaminated site containing a total of 134,068 malicious files. This is the highest per-site incidence of infected files to date.
SiteCheck & Blocklist Analysis
Our SiteCheck tool is one of our most important website security monitoring tools. It is free to use and scans millions of websites per year.
Since it is an external monitoring tool, it cannot see infections that do not display outwardly on websites (such as PHP backdoors). For a comprehensive solution, Sucuri clients have full access to our server-side scanning and monitoring.
SiteCheck Summary Analysis
We queried the scans performed on SiteCheck during 2021 to identify the trends seen for our remote security scanner.
From the 132,374,781 scans performed with SiteCheck in 2021, a whopping 10.38% of websites were identified as containing out-of-date software and 4.34% were identified as infected. Of these infected websites, 34.45% had some form of SEO spam while less than 1% were website defacements.
The primary purpose of our blocklist is to help identify unwanted content on hacked, legitimate websites and aid our clients in detecting infections.
In 2021, Sucuri added a total of 741 domains to our blocklist. Over 500 of these domains were related to credit card skimmers and exfiltration.
The SiteCheck scanner found a total of 12.87% of infected websites using blocklisted resources and another 5.97% were found redirecting to blocklisted domains.
As there are hundreds of thousands of spammy domains found yearly, our goal is not to add every single one of them to the blocklist. Instead, we focus on the detection of hidden links and spam injection structures to improve our detection.
Sucuri blocklisted over 500 separate domains in 2021 related to credit card skimming and exfiltration. This is the most added to our lists in a single year.
We analyzed blocklisted resources to compare detections across different vendors. What we found is that while the Sucuri blocklist targets relatively few specific sites, it provides the most value in detecting compromised sites with blocklisted resources.
Top Blocklisted Resources
Within the top blocklisted resources, we found a number of domains related to the massive WordPress campaign our team has been tracking for several years.
This campaign largely aims to redirect users to spam, malware and scam sites. Nearly all of the domains listed below were present in siteurl/home database infections or in injections targeting wp_post content in WordPress environments.
To dig a bit deeper, we analyzed the top blocklisted resources for this ongoing campaign.
One prevalent theme that differed from previous years was the high prevalence of .ga (Gabon) and .tw (Taiwan) domains used in redirect campaigns. These top-level domains have become very popular among attackers due to lack of active regulation and domain ownership restrictions.
So-called “bulletproof” hosting companies (frequently used by attackers) are often found to actively promote the sale of these domains for that exact reason: They are not subject to any US laws, censorship or DMCA takedowns. This makes them particularly useful to use in malware campaigns.
SiteCheck Malware Detection
SEO spam accounted for 34.45% of the infected websites scanned with SiteCheck in 2021. Since this number was so significant, we dug a bit deeper to break down the types of spam found on these compromised environments.
Our analysis of the top ten SEO spam signatures for SiteCheck revealed a few prevalent themes.
Unsurprisingly, the most common theme was related to pharmaceuticals with 28.03% of SEO spam content found to be related to themes like Viagra and Cialis. This indicates that despite the long legal battles fought by pharmaceutical companies against spammers, knock-off drugs continue to be an important source of revenue for attackers.
A predominant number of signatures were also found relating to Japanese SEO spam (22.13%). These ongoing SEO Japanese Spam campaigns pollute victim’s website search results with knock-off designer goods.
Credit Card Stealers
Starting in late 2019, we began to see WordPress websites affected by MageCart-style compromises related to credit card swiping. This trend continued over 2020, with WooCommerce based ecommerce websites affected by malware previously reserved for ecommerce-specific platforms such as Magento, OpenCart, and PrestaShop.
When compared to other types of compromises, the number of WordPress websites infected with credit card stealers was quite small. This was also identified in past reports, where we found that attackers prefer to target a smaller number of higher value ecommerce websites, mostly mid market-level stores.
Credit card stealers tend to be much more difficult to detect, and server-side malware is not visible from the outside using SiteCheck. Client-side malware is highly customizable and uses hundreds of domains created specifically for the attack. It’s not rare to see the domain name or URL of the malicious script mimicking the victim site or some trustworthy service. As a result, detection of malware on one site doesn’t necessarily lead to the creation of signatures that can reliably detect similar malware on other infected sites.
In 2021, we blocked 503 skimming-related domains, a steady increase from the 473 blocked in 2020 and the 304 in 2019. Many of these were found to be injected with basic script tags.
In 2021, SiteCheck detections found that 34.5% of websites infected with a credit card skimmer were running WordPress.
Another notable malware detected by SiteCheck was related to a campaign that Avast researchers are calling Parrot TDS.
Our analysts removed 19,937,018 files associated with the malicious NDSW malware from compromised websites in 2021 alone.
Blocklisted by Vendor
McAfee continues to be the most common vendor blocking websites. While the Sucuri blocklist is much smaller in scope, it can be much more accurate in terms of identifying malicious content loading on legitimate sites.
Threat Forecast for 2022
From our analysis, we’ve noticed a gradual increase in credit card theft on client sites. In 2022, we expect skimmers will play a larger role in website infections, especially for WordPress. We also anticipate that credit card stealing malware will become a standard in WordPress exploit kits.
Given that SEO spam and phishing can be extremely profitable for bad actors, it is likely that these malware types will continue to be common infections that everyday website owners face.
As new vulnerabilities in WordPress plugins are discovered, we anticipate that they will be caught up in the massive ongoing redirect campaign sending unsuspecting victims to fraudulent websites and tech support scams.
Our analysis also revealed a shift away from .ga and .tw top-level domains used in redirect campaigns. It’s possible that attackers may try to find other such TLDs to leverage in their attacks.
Unless there are major changes to the default security configuration of major CMS’ (such as making multi-factor authentication enabled by default in WordPress and having no default administrator URL enabled for Magento2 environments), we expect unprotected admin pages will continue to be a primary attack vector.
In 1849, French writer Jean-Baptiste Alphonse Karr wrote “Plus ça change, plus c’est la même chose“ – the more things change, the more they stay the same.
Despite the changes we’ve seen to the threat landscape, one truth will always remain present: Attackers’ singular goal is to compromise vulnerable environments and misuse them to their own ends. What they do with those environments may change slightly, but that one singular fact will always be the case.
The scope of security issues and the threat of malware and attackers can be overwhelming to website owners. What’s important to keep in mind is that it’s not just you that you need to worry about — your website visitors, customers and clients depend on you to help keep them safe as well. Operating a website, particularly an ecommerce website, is a big responsibility that should not be taken lightly.
While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used. Laying defensive controls helps you better identify and mitigate attacks against your website. Employ any and all precautions available to you, and never rely entirely on a single solution.
At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall to filter malicious traffic.
Thank you for taking the time to read our report — we hope you found it engaging and informative. If you think we should be tracking or reporting on any additional information, we want to hear from you.
Vulnerability Researcher | @AntoGarand
Security Researcher & Technical Writer | @_jamsec
Senior Malware Researcher | @unmaskparasites
Malware Researcher | @krasimirsec
Security Analyst | @liamsmith86
Malware Research Manager | @ipaxdc
Editorial and Marketing
Editor | @RiannaMacLeod