During a recent investigation, we found an infected website was redirecting to YouTube after its main index.php file had been modified to include the following line of HTML: This technique works because it’s possible to use HTML within .php files — as long as the HTML is outside the PHP code tags. In this case, […]
Archive by Author
Opening the Conversation about Website Security
The responsibility of ensuring that a website is protected falls on the website owner, but the security expectation may fall on the web service provider too. As a professional, you are the trusted party and first point of contact. Much of what your clients learn about web technology and security specifically comes from you. In […]
SiteCheck Malware Report: September Summary
Our free SiteCheck tool helps website owners remotely scan their website to detect malware infections, blacklisting status, website errors, and other anomalies. Scanning a website’s external HTML source code provides immediate results, without the need to install any software or applications to identify threats. In September alone, a total of 17,138,086 website scans were performed […]
Backdoor Shell Dropper Deploys CMS-Specific Malware
A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want. Another common scenario includes malware which is directly injected into a website’s files and used to redirect traffic, steal credit cards and other sensitive information, […]
GFX Xsender Hack Tool: A Spam Mailer
PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses. The tool runs on top of PHPMailer’s library, which handles the connection and […]
Malicious Pop-up Redirects Baidu Traffic
Malicious pop-ups and redirects have become two extremely common techniques used by attackers to drive traffic wherever they want. During a recent investigation, we came across an obfuscated pop-up script leveraging baidu[.]com search results to redirect users to the attacker’s own domain. Below is the encoded JavaScript: Once decoded, the behavior becomes a bit more […]
Backdoor Obfuscation: tempnam & URL Encoding
In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting backdoor that was leveraging encoding along with common PHP functions to conceal its operations from any active security systems on the host. This PHP web […]
Magento Credit Card Stealing Malware: gstaticapi
Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information. To obtain sensitive details, the malware loads external javascript whenever the URL contains “checkout” — this location typically belongs to the step in Magento’s checkout process where users enter their […]
Malicious One-Liner Using Hastebin
Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image directory on a compromised website, allowing an attacker to execute other malicious commands. The attacker […]
Phishing Page Targets AT&T’s Employee Multi-Factor Authentication
Employees at companies of all sizes can be targets of phishing attacks, but certain corporations or industries can be more valuable to an attacker than others. For instance, employees at telecom companies will often have some level of elevated access that is unavailable to a non-employee. In fact, this access can be so valuable that […]
