It’s easy to get wrapped up in the holiday frenzy. With the allure of Cyber Monday markdowns, it’s easy to forget to use proper precautions when shopping online. Everyone expects that all the ecommerce sites are safe, but there is always the possibility of getting tricked into visiting a website managed by cybercriminals. Here are a couple things to be mindful of as you shop online this weekend.
Know the Difference Between a Legit and Phony Website
Cybercriminals build fake retail sites that offer suspiciously good deals. Inevitably, consumers are lured by the deals and once they enter their personal information (name, address, phone number, and credit card number) hackers will use this info to their advantage. If there’s a specific site you’re looking for, type the URL directly into the browser instead of going through a search engine.
Be Wary of Unfamiliar Emails
Phishing emails are well-crafted emails that trick users into clicking on malicious links or attachments. These emails are designed to steal your personal information, including credit card information, usernames and passwords. Before you click the link or attachment in your inbox, make sure to double check the sender’s email address to ensure it’s a credible source. You can also hover over the link to see if it’s URL matches the actual site’s destination listed in the email.
Don’t Click on Sketchy Advertisements
Websites are typically flooded with ads, and this is especially true during the holiday season. As you visit your favorite ecommerce site this weekend, think twice before clicking on that eye catching ad. Hackers have the ability to place fake ads on legitimate websites, which redirect to malicious sites. To avoid clicking on a harmful ad, take notice of the domain and URL connected to those ads.
Buying gifts for yourself and loved ones should be fun and exciting. If you keep these tips in the back of your mind while you’re shopping online on Cyber Monday, you’ll be saving yourself a lot of trouble in the long run. Let’s make sure we are having happy holidays, not “hacked” holidays.
In last week’s “episode” of ‘This Week in Exploits’, we talked about Cross-Site Scripting (XSS) and specifically reflective XSS vulnerabilities, the most common type of XSS flaw. We now know roughly what a XSS attack is, and some of what a reflected XSS attack does, but why do XSS attacks exist? How can they be used?
The example below shows an uploaded phishing file being used to steal Outlook emails. A link in a spam email can easily show a fake sign-in page using reflected XSS. Alternatively, a ‘persistent’ XSS attack could inject a fake login page into the site code, saving a hidden phishing page on the site.
Phishing pages send stolen logins from one of these fake login pages to a hacker. Hackers will then test the password/login combination on different sites, to see if that combination has been reused elsewhere. The script below, which swipes logins to a video site and sends those credentials to multiple bad actors, could be hosted on almost any website.
This phishing example doesn’t require any special target on the vulnerable site, the attacker is merely using the site to ‘bounce’ the fake login to an end user. Hackers often take over sites to use their resources, and using reflected XSS is just another example of a hacker using someone else’s site to conduct their attack.
While persistent XSS attacks can be found and cleaned, reflected XSS don’t create any files, infect any servers, or leave any major evidence of a hack. To see examples of reflected XSS in the wild, a developer would have to be visiting suspicious links, or filling out suspect forms. The best chance of finding reflected XSS attacks using their own site would be finding and analyzing evidence in their site’s logs.
Reflected XSS is almost always only seen by an end user. A suspicious email with a reflected XSS attack would have a link that leads to the vulnerable site; a strange link, but one to a ‘safe’ source. A confused or unknowing end user could easily fall for a phishing attack, or be hit by a second redirect to a malicious site. And there are many, many spam email campaigns, infected links, phone robo calls, all directing people to malicious sites or phishing links. XSS attacks are one of the many tools in this spam arsenal, and XSS is one of the most common security flaws across the internet’s multitude of websites.
XSS vulnerabilities are common, but they are much easier to fix than complex vulnerabilities like CSRF. Without direct signs of malicious activity reflected XSS is often missed, but if they are known and searched for, they can be patched. As we now know, a threat to your end users is still present if that vulnerability exists, and no one wants their own website to be partially responsible for infected computers or stolen logins.
For developers fixing XSS vulnerabilities, there are many filtering methods available in web application software for converting input to safe text. Any user input that can be displayed to a site visitor should to be audited and filtered. Sometimes vulnerabilities are created when these are methods aren’t applied strictly enough, and patching XSS sometimes requires knowing the ‘best fit’ for the situation. The OWASP Top Ten provides an example sheet of how hackers can slip through mismatched XSS filters, and this sheet is useful for web security audits and web developers alike.
In many cases, vulnerabilities are simply missed during development. In large web applications, it is hard to find and secure every entry-point. SiteLock’s ‘360 Website Malware & Vulnerability Scanning’ includes multiple modules for finding flaws that bad actors can take advantage of. For website owners who don’t have web developers to rely on, SiteLock also provides vulnerability remediation to fix those flaws (and the full scanner suite) through SiteLock INFINITY. Prevention is also a worthy goal, and SiteLock’s TrueShield WAF will block many varieties of attack used on a website.
The holiday season is a busy time for online retailers. Unfortunately, it’s also prime time for cybercriminals to attack. As you prepare for the uptick in traffic, don’t let an oversight make you vulnerable to a breach. Instead, get ahead with your website security by knowing what to expect.
Anticipate an Attack
Cybercriminals assume that retailers are caught up in the holiday shopping frenzy and will use this opportunity to take advantage of lax security. Anticipating their behaviors can help mitigate risk and prevent an attack.
In the world of websites, hackers have a variety of tools to intrude on people’s domains. These hacks, which take advantage of vulnerabilities in a site’s code, are categorized by projects like the OWASP Top Ten. According to the OWASP assessment, the top three most common attacks are: Injection, Weak Authentication and Session Management, and Cross-Site Scripting, known as XSS. As new vulnerabilities are discovered, we still can see that a large portion of these vulnerabilities are XSS-related vectors.
SiteLock is proud to announce that we’ve been named one of the fastest growing technology companies in North America in the recent Deloitte Technology Fast 500 list! We officially rank number 85 with a 1046 percent growth between 2011 and 2014. In addition, we were also ranked as the number one fastest growing technology company in the state of Arizona.
To read more about this prestigious award as well as see the list in its entirety, click here.
Modern browsers are more than programs used to peruse the web. Browsers are tools used to communicate, develop, conduct financial transactions, and interact with government agencies. This week we discuss browser security and how it can impact website security, because as a website is the portal to a company’s online presence and resources, a browser is the entryway into a user’s workstation and the data within.
The link between browser security and website security is not conflated. We’ve seen many sites compromised through stolen FTP credentials, and entire company file stores lost to ransomware. Browsers were the likely point of entry of these compromises, and every website owner and web developer is sure to have a browser, likely multiple browsers, on the computer hosting or accessing site files and credentials. Again, the browser is the portal from the open web to the workstation, and we’ll cover the steps necessary to better secure this entry point.
Black Friday is one of the most anticipated shopping days of the year. Shoppers are up at the crack of dawn to hit their favorite stores. Some will go as far as to camp out at the stores offering the hottest deals while others will avoid the malls altogether by finding the best sales online. Nearly 100 million Americans are expected to take advantage of Black Friday discounts this year. However, these shoppers aren’t the only ones who have been waiting for Black Friday; cyber criminals are just as excited for this big shopping day. Securing your website for the holiday season is one of the best things you can do for your business and your customers.
When working to restore customer sites, our teams often hear ‘Why did they hack my site?’ Getting hacked is a violation. It’s a violation of a company’s web properties, or the personal violation of someone’s small business or specialty site. Having the hard work of web development undone, even temporarily, is a difficult experience and SiteLock strives to restore that work as quickly as possible. Our teams are dedicated to this.
This week we’re here to reassure readers that the majority of compromises are not targeted attacks. We will discuss how and why bad actors attack sites, and how to avoid becoming another line in an attacker’s text file of owned sites.
Consumers have endless choices of where to shop this holiday season and your store – whether brick & mortar or online— must stand out. A well-designed, easy to use website is critical in cutting through the clutter to attract holiday shoppers and drive them to make a purchases. Unfortunately, the same features that improve user experience and retain customers can leave your website vulnerable to a cyber attack and pose a significant threat to your business.
This week we’ll discuss a recent infection of WordPress theme files, header files specifically, brought to our attention by SiteLock’s Security Concierge, or SECCON, Team.