Security Company Promises They Can Prevent Websites from Getting Hacked Again and Immediately Contradicts the Claim

What we recently have been noticing over and over in looking over the marketing materials for website security services is that they claim to protect websites from being hacked and almost immediately contradict that claim. As yet another example of that, we were recently looking at a WordPress security plugin named Sitesassure WP Malware Scanner and as discussed over at the blog for our Plugin Vulnerabilities service we noticed that among other issues, it is insecure and contained a vulnerability (security software with security vulnerabilities of their own is a common occurrence from what we have seen). That plugin seemed to be largely a way to promote the security company Sitesassure.

On the homepage of Sitesassure they promote a service they offer with the claim “DONT GET HACKED AGAIN”:

We could find no evidence presented on their website that service was effective at all. When making a claim like that there really should be evidence from independent testing that backs up the claim. If their WordPress plugin is any indication they don’t have much of a grasp security, which seems like prerequisite for being able to have a service that could possibly provide that protection.

Everything we have seen from numerous different angles indicates that services like that don’t in fact provide the claimed protection. That includes plenty of people coming to us asking if we offer a service like that, which works, after using one that didn’t and that the providers of them often prominently promote that the service includes hack cleanups. That is the case with this service as well, as scrolling down the website just a bit from the claim that the website won’t get hacked again there is another part of the promotion for that service:

If the website won’t get hacked again with that service then there shouldn’t be anything to clean up.

Right after that they seem to water down the claim even more by moving the goal line from keeping the website from being hacked, to just it not going down after that occurs:

(While they claim WordPress is a specialty of theirs, they consistently improperly capitalize it, which seems like a good indication it is actually something they are not all too familiar with.)

If you really want to fight back the best thing would be to do is the basics of securing websites as those will actually prevent most hacks, which would make hacking have less of a payoff for the hackers.

If a website has already been hacked the important thing to do is make sure that the website is properly cleaned. From what we have seen providers of services like that usually don’t even attempt to do that, which doesn’t seem that surprising considering that they seem to think it is acceptable to market a security service in a way that they are aware is not true.

When looking for a company to properly clean things up these are things you want to hear from them that they do:

  • Clean up the hack.
  • Get the website secured as possible (which which usually involves getting any software on the website up date).
  • Try to determine how the website was hacked and fix that.

We always do those things when doing a cleanup. When those things haven’t been done by other companies it has frequently lead to us being brought in to re-clean websites.

Bluehost’s Poorly Thought Out Attempt to Clean Up Hacked Websites

We have repeatedly brought up the web host Bluehost in the past on this blog due to various security related issues involving them, including things like using phishing emails to sell unnecessary security services and it looking like a security issue on their end might be leading to websites being hacked. Recently we have started running into another issue while working on hack cleanups with websites hosted with them, it appears that Bluehost is attempting to do some cleanup of hacks in way that doesn’t seem well thought out and can lead to websites having more problems beyond just the ones caused by the hack.

What looks to be going on is that to try to clean files with malicious code, Bluehost is removing code from the files and making a copy of the previous version of the files with a different name. As an example of those different names, in one recent instance the copy of a file named link-manager.php was named link-manager.php.suspected.1524640055. The new files have no permissions, so you can’t view the contents of them (or change the permissions to be able to do that). In many instances the original files have been totally emptied, even if it appears that they had contained legitimate code in addition to malicious code.

One of the problems that is causing is that legitimate files that are used to generate websites are being emptied, which then causes the website to stop working. Due to permissions on the new files it isn’t possible to easily see the previous contents of files to be able to quickly restore the non-malicious portion without getting access to another copy of the file.

Where things get more problematic is that they are changing the permissions on some directories as well as files, which not only restricts seeing what is in the directory, but also introducing a complication that doesn’t occur with the change to individual files, you can’t delete the directories through FTP or the file manager in Bluehost’s control panel.

Bluehost does have the capability to make the files and directories accessible if you contact them.

What is important note is that in every instance we have run into this so far there have been malicious files that were not dealt with by this cleanup, so the upside from them attempting to clean things up is limited while it can come with a fairly significant downside. Another problem with this type of approach is that simply cleaning up hacked files doesn’t deal with the underlying cause that allowed the hacker to be able to add or modify files in the first place, so the hacking could continue.

Looking at Recently Modified Files Isn’t a Good Way To Find Files Added or Modified by Hacker

We often find that companies that claim to have expertise (and often unique expertise) in dealing with hacked websites either don’t know what they are doing or are intentionally doing things improperly. That makes it hard to recommend to people in general that they should hire someone to clean up their hacked website (despite us actually doing that very type of work). But at the same time we often have people contact us that have tried to clean up their own website who clearly don’t know what they are doing and have gotten poor results. Those are not always unconnected issues as there is lots of content put out by security companies on how to clean up websites that is either intentionally poor and really intended to entice people to hire them to clean up the website or is poor because the companies really don’t know what they are doing.

An example of that we happened to run across recently involves a blog post from a company named WPHackedHelp that is supposed to tell you how to fix a “Japanese Keywords Hack” on a WordPress website, https://secure.wphackedhelp.com/blog/fix-wordpress-japanese-keywords-hack/. Considering that what we assume they are referring to by that actually encompasses a wide variety of different issues, trying to write an all encompassing article would be difficult to impossible. Instead they write one that is really of little use and could equally have been written about trying to deal with many different issues. But we wanted to focus on one obviously problematic piece of advice.

The post in part states you can find malicious files by checking for recently modified files:

Check Recently Modified Files

To search for the most recently modified files, use SSH to login to your web server account and then execute the following command:

find/path-of-www -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

Navigate through the files and see if you find any doubtful changes made to the code.  If so, replace the files with the clean backup version of it.

For anyone that has even dealt with a few hacked websites there should obvious problem with that advice and for any company that claims to have expertise dealing with hacked websites there should be another obvious issue. WPHackedHelp certainly claims to have that level of expertise:

With over 15 years of experience, our WordPress security experts specialize in website malware removal & cleanup WordPress websites.

It’s worth noting though that WordPress itself is barely 15 years old, so we would assume that is referring to combined experience, though they are not upfront about that, which seems like a red flag.

The glaring problem with relying on the last modified date of files is that hackers frequently change the last modified date of files they have added or modified to have the dates match other files in the same directory. In some instances that occurs with some of the files and not others, so someone might think they have gotten the malicious files and really they have missed a lot of them.

The other issue with this is that often times people only become aware that their website has been hacked well after it has occurred, in some extreme instances the hackers originally got in years ago. So even if the hacker hasn’t changed the last modified dates, looking at recently modified files wouldn’t identify them.

At the end of WPHackedHelp’s post you get to the seeming insincerity of the whole thing as they write:

Having listed an array of methods requiring technical expertise, let’s consider an approach that is way smarter, consumes less time and takes the burden off your shoulders. WP Hacked Help deploys a systematic plan to clean up your WordPress website. The site is thoroughly scanned and the detected flaws are dealt by an expert team to provide you with a website free of malicious codes. Within a short span of time, your website will be live up again, running efficiently like before.

Why not be upfront about that, considering that it is supposed to be “way smarter, consumes less time and takes the burden off your shoulders”?

What is missing in that post or anywhere else that we looked on this company websites for that matter was any mention of one of the three key components of a proper hack cleanup, trying to determine how the website was hacked. Not only is that important to make sure that the hacker can’t just get back in after things are cleaned, but we have found that the work involved with that is important to make sure the hack is fully cleaned up. In almost every instance when we are hired to re-clean up a hacked website there had been no attempt to do that, so avoiding companies that don’t do that is something we would recommend.

If the focus of security companies was on figuring out how websites were being hacked and working to make sure that the instances of those things are lessened, security could be in much better shape than it is. That of course would mean less business for a lot of those security companies, so instead you have an arms race type situation where hackers figure out new ways to avoid detection (like changing the last modified date), which makes it harder to clean up hacked website, leading to more business for security companies, but a worse situation for their customers since the root cause isn’t being dealt with properly.

cWatch Makes False Claims About Security of WordPress Themes While Touting Their Security Analysts

When we previously discussed a service named cWatch we noted how the people behind it didn’t seem to understand what they were talking about when it came to security. We recently happened to take a look at them again and found things haven’t changed. Previously they falsely claimed that it isn’t possible to fully clean up hacked websites, despite them offering to do website malware removal for free (which seems like it explains the price). This time they are making false claims about the security of WordPress themes.

In a June 11 blog post titled “Infected WordPress Themes Still on WordPress.org” they start by stating:

Having come across many exploits and vulnerabilities it is no surprise that WordPress, being one of the most common themes used, seems to be a hacker favorite.

In order to stay proactive, we researched wordpress.org Apache Subversion (SVN) and discovered some major commonalities within some infected themes.

This presents a major concern as these infected files can be quite easily installed from the wordpress.org site directly.

During the next couple of blog posts we will publish a series of articlestitled INFECTED WORDPRESS THEMES STILL ON WORPRESS.ORG, where we will share with you our findings in the hopes of helping stop the spread of these infections through awareness.

That sounds concerning, but a little odd. If there was really some issue wouldn’t they want to work with WordPress to resolve it instead of trying deal with it through “awareness”? From what we have seen of the security industry, awareness is usually a euphemism for making false or misleading security claims to get coverage for yourself and that is the case here.

The next section of the post though seems to indicate that cWatch didn’t really know what they are talking about:

The following is a list of the infected WordPress themes we have discovered:

What they are linking to there are not themes, but individual files that contained malicious code in themes. That seems like a big detail to miss, but there’s more. The first five files are from various versions of one theme, Delish. In each link the number listed is the version number of the theme. Based on that it seemed that only versions up to 1.3.3 would have been impacted. The current version is 1.6, so five of the seven “themes” they claim infected are in fact not. In fact, version 1.3.4 was released on March 31, 2015 (and did in fact remove the malicious file). So it wasn’t like this was dealt with after the claim by cWatch or even recently. There is another issue with the claim that theme was infected, which we will get to in a moment.

The two other themes are not even available anymore and it doesn’t look like they were available recently. One of them, Neworld, had the malicious file removed in a version that was released on June 8, 2015. The other theme “Elgrande (shared on wplocker.com)” never had fix released, so that is the closest there is a current issue, but it still doesn’t live up to cWatch’s claim that “these infected files can be quite easily installed from the wordpress.org site directly” since it can’t be easily downloaded from there anymore and you can’t install themes from there at all.

In looking into those themes we noticed another rather large issue with cWatch’s claims here, which they completely missed, despite it seeming like it should be obvious to anyone that claims to have the expertise they claim to have. All of the infected files have .png extension, which will cause web servers to see them as image files, so the malicious PHP code that had been in them would not run. There would need to additional code to make that code run, which is missing in all but “Elgrande (shared on wplocker.com)”. So there wasn’t a threat from the other two themes even in the versions that contained the malicious files.

What all that seem to make more glaring is at the end of the post there is this ad for cWatch:

Having security analysts as a resource to inspect and investigate all code would be ideal. Connect with us if you are looking to have a security analyst on your side for less than a cup of coffee a day.

Unless you want a security analyst that doesn’t seem mildly component, you would probably want to avoid them.

Poor Copy and Paste

The poor quality of the content of their blog isn’t a one off issue, as can be seen in another recent post. The post is odd to start with since it is about malware that was claimed to have impacted “700 WordPress and Joomla websites”. We don’t know why something like that would merit coverage, unless there was some new vulnerability that was exploited to hack those websites. Strangely the source of the hacks was not discussed at all in their post or the original source they lightly rewrote to create their post. Speaking of the original source, what really stood out to us in the post was the strange headline in the last section:

Mitigation by SiteLock

If ionCube-encoded files have not been intentionally or specifically installed by you or your developer, then any file claiming to use ionCube is likely to be suspicious since the effective usage of IonCube generally needs manual server configuration. Moreover,  cross-compatibility with varied versions of PHP is found to be minimal, thus decreasing the viability of use as malware.

SiteLock is the name of another security company that isn’t exactly known providing accurate information when it comes to this sort of thing, so you wouldn’t want to be blindly repeating their claims. cWatch though takes it further by simply lightly rewriting SiteLock’s post. Here is SiteLock’s version of the above paragraph:

If you or your developer have not specifically and intentionally installed ionCube-encoded files, it is likely that any files claiming to be using ionCube are suspicious, as successfully making use of ionCube typically requires manual server configuration. Also, cross-compatibility with different versions of PHP is minimal, reducing the viability of use as malware.

What is worth reiterating is that you have two security companies there that offer services that they claim protect websites, but they seem to be uninterested in how these websites were hacked, despite the obvious relevancy to what they claim to offer. In reality SiteLock at least actually thinks that protecting websites involves leaving them vulnerable to being hacked, they are not alone in that belief.

GoDaddy’s Idea of Securing Websites Actually Involves Leaving Them Insecure and Trying to Deal with the After Effects of That

Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post.  When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:

The description of that is:

Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.

It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.

If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.

The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.

Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.

What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.

The Truth Behind Conflicting SiteLock Reviews

Recently something we had written about the web security company SiteLock was linked to in thread that starts out with someone discussing the conflicting reviews of SiteLock:

Just had a word press site hacked. Out host suspended our site and recommended site lock to clean it up. I looked at online reviews of their service. There are reviews that say they’re good, and reviews that say they are a scam. They say that you pay to have your site cleaned and then monthly to protect it. There are numerous reviews saying that even with the monthly fees, their sites still got hacked, and they were charged hundreds of dollars to fix it again. If these reviews are true, I want a better solution. What would you do? Are the reviews true?

As we monitor the reviews of SiteLock to keep track of what they are up to since we are frequently contacted by people looking for help after being contacted by them or having hired them, we thought it would be worth touching on what explains those conflicting reviews.

Positive Reviews

The positive reviews of SiteLock mostly fall in to two categories. The vast majority of recent reviews are by people that are pushed by SiteLock to provide a review after any interaction with them. We really do mean any. Here for example are two reviews shown on the review website consumeraffairs.com from the same day, giving SiteLock five stars for helping them to update credit card information:

I contacted SiteLock because I needed to update my credit card information. I was delighted by the speed and helpful service I received from the support team. I would highly recommend SiteLock for their valuable products and services, which are consistently stellar.

Tyrell was very helpful in walking me through updating my credit card billing information online. He was also very courteous and patient while he waited as I entered my information. It would be a pleasure to work with Tyrell again.

That doesn’t seem like something people would do on their own all that often. More importantly, that really doesn’t tell you anything about how well or poor the service is, just that this company is interested in making sure it keeps getting paid.

It isn’t even clear that the people leaving those reviews would be aware of that website as a company that pays consumeraffairs.com a monthly fee, as SiteLock does, is provided various methods to have reviews collected:

ConsumerAffairs also helps Accredited Members collect reviews through Facebook, email, feedback cards, targeted phone calls and through its website.

Well come back to what else that SiteLock’s paying that website provides them in a bit, but first there are second set of positive reviews. Those largely look to be made up of people who generally believe that SiteLock is providing a good service and have left a review on their own. Considering that even many people in the security industry don’t have a good understanding of security, it wouldn’t be surprising to hear that these positives reviews from the public are not necessarily providing a good picture of what SiteLock really provides. For example, one five star review of SiteLock we used as an example of that last year, actually indicated that SiteLock was leaving a website insecure. That isn’t surprising since as we mentioned more recently, SiteLock’s own marketing material indicates they think that security doesn’t involve keeping a website secure, but dealing with the after effects of leaving it vulnerable.

Negative Reviews

If you were to look at the most recent one star reviews of SiteLock on consumeraffairs.com what you would notice is that you have to go back months to see one where the one star rating is shown. The most recent ones either say “Insufficient response received” or “No response received”. The reason for that is that by SiteLock being a paying customer of consumeraffairs.com they can challenge reviews and they in fact have challenged every single recent negative review. The reason for that is that by doing they can get the low ratings excluded from the overall rating:

While ConsumerAffairs never changes star ratings at a company’s request, a consumer may choose to change a star rating after resolving a complaint. In addition, if a consumer does not respond to a request for more information, or the consumer’s complaint is resolved privately with the company, or the factual basis for a complaint is unresolved, the consumer’s star rating may not be displayed and will not be included in a company’s overall star rating.

The business model of that website and other review websites looks to be built on companies paying them to present a positive image of the company.

What seems to be a telling indication that negative reviews are the ones of value is that all the most helpful reviews are currently negative ones.

That doesn’t mean that those reviews are accurate either. Just as the natural positives reviews can be inaccurate due to a lack of understanding of security, plenty of the negative reviews we have seen are also inaccurate. For example, we have seen numerous negative reviews that claim that SiteLock hacked websites. We have also had people contacting us that claim the same thing. We have never seen any evidence to support that despite it being such a serious allegation and plenty of evidence to the contrary.

If you want to a summary of what SiteLock really offers, this review on consumeraffairs.com from May 23 does a great job of that:

It’s my opinion that SiteLock is exhibiting predatory sales tactics. In my case they sold me on the service to monitor and protect my website from malware for a subscription fee. They are aggressive. But the worst part is that malware infected my site again and I called SiteLock for help since I’m a paying customer. Even though they originally sold me on the effectiveness of their products they told me they were not going to be able to remove the new malware and it would cost $300 to remove it. They also were trying to sell me on more services. It’s just my opinion but then I believe they set up a system to catch people when they are most vulnerable then charge them a lot to get their website working again. The support people that I talked to are salespeople. Look elsewhere folks. Save yourself the wasted time, money and the headaches that come with choosing the wrong company to protect your website.

One thing that we would note about that is that we are not aware of any company that provides a service that will provide effective protection of a website. If you are looking for something like that we would recommend instead you do the things that are going to actually keep your website secure, but otherwise you would want to look for one that present evidence, preferably from independent testing, that shows that is effective (if someone finds a company that provides that we would love to hear about that).

If your website is already hacked, before focusing on the things that will protect it going forward, it should be properly cleaned, which involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

From what we have seen SiteLock usually doesn’t attempt to do the last two and doesn’t do all that good a job of the first. Unfortunately, based on experience frequently being brought in to re-clean up hacked websites they are far from the only company that is not even attempting to properly clean up hacked websites.

That SiteLock doesn’t attempt to determine how websites were hacked explains in part why they are not good at protecting websites from being hacked either as they wouldn’t even know what to protect against.

Atlantic BT’s Scare Tactics Lead to Belief That Google Is Rendering Non-HTTPS Websites Useless by Labeling Them “Not Secure”

One of the problems we have found in dealing with security over the years is that you have a lot of people managing websites that believe they have a much better understanding of things than they do. Security companies make this situation worse by spreading misleading and outright false information to market their products and services.

One area where we frequently see issues, not just when it comes to security, but more generally as well, is people managing websites believing that upgrading software on a website will resolve some issue they are having. What seems like it should give them some pause, but apparently doesn’t, is that they don’t themselves even have the capability to handle the upgrade, but believe they know what the impact of that would be.

What we have found repeatedly in that situation is that they will contact someone like us about having an upgrade done and not mention that their reason for getting the upgrade is the assumption that it will resolve that issue. In some cases they only bring it up after the upgrade has been fully completed and the issue still exists.

Due to the increasing frequency we run into this type of situation we recently changed how we do things, so now in the contact form for upgrade services we specifically ask why there is interest in having an upgrade done.

A recent example of that showed why that is important and brought across misleading claims from a company named Atlantic BT about the changing handling of non-HTTPs website in Google’s Chrome web browser.

The reason given that this person was interested in having a fairly significant upgrade done was that their website was going to be “useless” in a few weeks due to a new Google security regulation. We really didn’t know what they were talking about and for good reason, it turned out the reality was very different.

What is happening is that in July with the release of Chrome 68, Google will start labeling non-HTTPs web pages as “not secure”. Here are the before and after according to Google:

That wouldn’t make a website useless, though it might make an eCommerce website, like the one we were contacted about, less appealing.

What was more important was that upgrading the software on the website wouldn’t have an impact on that since HTTPS is handled by the server, not the software running on the website. As long the software on the website allows you to configure things so that addresses on the website start “https” instead of “http” there is no need for an upgrade to implement HTTPS.

So where did the idea that the website would be useless come from? It turned that was due to a blog post on Atlantic BT’s website. The intent of the post seems to be scare people in to contacting this company for security services.

The name of the post as listed in the URL for it, https://www.atlanticbt.com/blog/google-chrome-warn-users-non-secure-websites/, seems neutral. The visible title isn’t, “Non-Secure Websites, Beware! Google is After You”.

In the first paragraph they state:

This could create many challenges for web owners and designers. Traffic and revenue losses, as well as drops in organic search rankings, could all be consequences.

In second paragraph they make a claim that there is a requirement to use HTTPS, despite there not being one:

By July, Google will require ALL websites to have their entire domain set up as HTTPS.

In third paragraph they again try to push the negative impact, without quantifying how much, if any, they are claiming there would be:

This means that Google’s policy update will have major implications on your site’s web performance.

In the fourth paragraph they can’t even get to a benefit of HTTPS without playing up fear first:

Before stressing over the potential impact of this update, it’s important to recognize the countless benefits of establishing a secure connection via TLS.

The final section of the post, titled “What are the implications of Google’s update?”, starts with more unquantified claims:

Google is increasingly using security as an algorithmic ranking factor within their Search Engine Results Page (SERP). In 2014, Google publicly announced that websites would receive a boost in rankings if they switch from HTTP to HTTPS. And in-line with that policy, sites that remained HTTP would be at risk of losing rankings. This is a serious threat to the acquisition of organic traffic on HTTP websites.

So people should be doing something now because there was change four years ago, which Atlantic BT can’t actually cite say percentage impact of (as far as we are aware there wasn’t much impact on rankings due to that change).

Next, they finally mentioned a quantified stat:

There is also an added risk of dropping conversion rates and losing customers. Studies show that  85% of web users would choose not to make purchases from a website if it was labeled as “non-secure”.

If you follow the link though it doesn’t make the specific claim they claim it does and there are a number of other issues. What is claimed on the link page is that a survey found that:

In fact, 85% of web users state they wouldn’t buy through a website where they weren’t certain their data was being transferred securely.

Among the issues that we can think of off the top of our heads:

  • That isn’t a study.
  • The question posed is different.
  • People stating they would do something does not necessarily reflect what they really would do.
  • The survey was done by a company that sells SSL certificates, which makes the result somewhat suspect. Fuller details that could be used to better access the veracity of the survey, like what was the wording of the question, were not provided.

No other quantified statistics were provided in the post.

The final paragraph of the post seems to be what all the rest was leading to:

If you’re concerned about the potential impact of this upcoming Chrome update, or the security of your site, contact the experts at Atlantic BT.

Based on what we saw in that post it would seem like you would be best steering clear of that company.

Is There Anything That Security Companies Won’t Try to Mislead People About?

From dealing in security for years we have become somewhat inured with a lot of the bad behavior going on, but one area where it is still surprising how bad things are is the level of dishonesty and often outright lies told by security companies. Considering that trust is an important part of security, it would seem like security companies would be careful when it comes to that type of thing, but from what we have seen that isn’t the case. That certainly isn’t helped by the public’s willingness to ignore and to some times defend companies that engage in that type of behavior.

While in some cases security companies lie about things that it would be hard for the public to check for themselves, in other instances the claims are easily checked, so it seems like at this point that companies may feel they can mislead and lie with impunity.

We recently came across an example of this from a company named Quttera. Back in March they had a blog post titled “Quttera WordPress Malware Scanner: 400K Installations and Counting” with this graphic at the top of the post:

Having 400,000 installations would make the plugin one the most popular WordPress plugins, so that would be impressive.

WordPress prominently displays how many active installations that plugins in its Plugin Directory have, so it wouldn’t be hard for anyone to check to see if that is true.

What anyone doing that would find though is that the plugin only currently has 10,000+ active installs:

So what is going on here? Well the first sentence of the Quttera’s post explains it somewhat:

A few days ago, the download counter of the WordPress Malware Scanner plugin passed 400K installations–and with good reason.

They are conflating downloads and installations. Considering that WordPress provides both installation and downloads stats that seems hard to provide an innocent explanation for doing, but it is more problematic when you know what is counted as a download. WordPress counts each time an installed plugin is updated to a new version as a download. That is important here because the number of active installations might not give a complete picture if a lot of people installed a plugin, used it successfully, and then removed because it wasn’t needed after that. If that were the case with this plugin the chart of downloads would look very different than it does.

As you can see the chart shows frequent spikes of downloads and then sharp drop offs:

Those spikes are when new versions are released. When you are releasing new versions every three or four days that can lead to a lot of downloads, as is the case with this plugin. Quttera would like you believe otherwise as the first paragraph of their post shows:

A few days ago, the download counter of the WordPress Malware Scanner plugin passed 400K installations–and with good reason. This incredible plugin has a number of key advantages that have helped many of our customers build their websites and create the amazing online communities they’ve hoped for.

While this in its self doesn’t really matter that much, it does give you an indication that this company might not be the most reputable company.

In a quick check we found that their plugin is itself insecure due to failure to do some basic security, which doesn’t seem like a good indication of their concern for security. We will be disclosing the details of that over through our Plugin Vulnerabilities service, once Quttera has had a chance to fix that.

What we noticed that seems more relevant when it comes to trust is something we noticed we went to look at the details of the service they offer. The service is prominently marketed as involving malware cleanup:

They also claim to offer a “30 days money back guaranteed.”:

Though like another security company we discussed recently they hide an important detail of that policy on another page. That being that there is no refund if you have had a cleanup done:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the Cancellation Period), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not utilized malware removal services during the Cancellation Period.

To us that seems like a detail that should prominently mentioned when promoting the guarantee since we would assume that many of their customers would be coming for a cleanup and so they should know that the cleanup isn’t backed up with any guarantee (especially since so often we see security companies failing to properly clean up hacked websites, so a refund would be warranted after a cleanup was done). It seems like they could have disclosed that in the same amount of words that it took to mention that the details of the policy are on another page.

Sucuri’s 30 Day Guarantee Guarantees That They Won’t Properly Clean Up Your Website

In our dealing with the continued poor state of web security, which seems to be a microcosm of the poor state of security in general, what we see is that there are many different pieces that all come together to get to the current situation. The really terrible shape of the security industry probably couldn’t exist without the public helping them out in numerous ways. One of those ways is that you have a lot of people that don’t really seem to be paying much attention before handing over money to unscrupulous security companies.

We recently had someone contact us looking for help with a hacked website. They hadn’t provided any details as to how they thought the website was hacked and considering that many people come to us that think a website has been hacked when it hasn’t, we first went to look at the website to see if we noticed any issues. We noticed one issue and we then responded asking if that was what was at issue or if there something more. They responded that they already were a paying customer and had sent several message to support that they hoped we would address. Neither of those things sounded like us, especially since we charge after we have completed a cleanup, not before. It turned out that they had confused us with another company named Sucuri.

What was odder about that was that the person said they had seen Sucuri mentioned on our website and decided to give them a try. Considering that we have repeatedly written about problems caused by Sucuri, particularly involving hack cleanups, it doesn’t seem they could have been paying almost any attention to what we had written about that company.

That ties in to understanding something else that they mentioned, which is that Sucuri told them they provide a 30 day money back guarantee. They didn’t look into the details on that, which they should have.

We were curious to see what Sucuri’s refund policy actually was and found that they are inconsistent in what they claiming to provide. More importantly there are some huge caveats, so the guarantee would be of no value in a lot of cases.

On the homepage they advertise it this way:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

Looking at the terms of service they first state:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

Based on that if you sign up for their service and request a cleanup you can’t get a refund, so if they don’t properly clean things up (as they won’t) you are left paying for something that wasn’t done right.

In listing their various levels of service they make a big point of response time, so it seems pretty likely that they expect that many of their customers are coming to them looking for a cleanup:

So it seems like their refund offer would probably be immediately null for many of their customers. It also seems like if they were interested in be honest with their potential customers they would be upfront about that limitation, instead of burying that important limitation in a long legal document.

Later in the terms of service page they say something different:

If at any time during the Service Term, you submit a Malware Removal Request for a Covered Website that Company determines is infected, Company will use reasonable commercial efforts to clean the infected Covered Website. In the event that Company is unable, for any reason, to clean the infected Covered Website, Company will, as its sole and exclusive remedy, refund to you the annual fee you paid to the Company for the clean up of that Covered Website.

That would sound significant if we haven’t see what can actually happen when Sucuri is supposed to be dealing with a hacked website.

In April of last year we discussed a situation that we were brought in where Sucuri’s service had been purchased and they had claimed to have cleaned a website. When the original issue, credit cards being used on the website were being compromised, continued, the person running the website contacted Sucuri about that and Sucuri told them that the website was clean, despite it being very likely it wasn’t. This person wasn’t looking for a refund, just for them to clean things up, which considering Sucuri’s service is marketed as providing “Unlimited Malware & Hack Cleanup”, shouldn’t have been an issue. They instead had to hire us to get things properly cleaned up.

On Sucuri’s page about cancelling an account they have the following Refund section:

Refunds

Refunds are only available within 30 days of purchase and will only be issued in case a manual malware removal was not completed. On all other cases, you can cancel the account, but a refund will not be provided.

That doesn’t match what is written in the terms of service, so who knows what is going on there. But if that is to be believed all they are actually offering is a refund if they don’t “complete” a manual malware removal. Considering that based on everything we have Sucuri doesn’t even really attempt to do complete cleanups, that doesn’t seem meaningful.

Right below that section is a Guarantee section:

Guarantee

We guarantee our work, so if your site gets reinfected we will clean it up again until it is 100% clean. But you also have to do your part and keep your sites updated, change passwords and follow our recommendations.

If you do not follow our recommendations, we will not clean it up again until they are done.

As situation we were brought in to clean up after Sucuri in March shows, even when Sucuri is willing to clean things up again it doesn’t mean the website is ever going to get fully cleaned as the website in that situation was repeatedly incompletely cleaned up by Sucuri. What was happening is that Sucuri repeatedly removed parts of the hack, but since they didn’t remove the others, what they were removing just came back over and over.

One of things that would have stopped that cycle would have been if Sucuri had done one of the three pieces of a proper clean up, which is trying to determine how the website was hacked, as reviewing the logging as part of that would have identified where the remaining malicious code was.

Sucuri not only fails to do that piece of a proper clean up, but they fail to do another one, which involves getting the website secure as possible. That usually mainly consists of getting any software on the website up to date. Based on that guarantee language they even try to push that off to the customer.

In fact while they sell their service as website security service, the guarantee seems to indicate they don’t do anything that will actually secure the website. What it looks like is that you are paying them an ongoing fee for them to be on call to improperly clean up your website.

If your website hasn’t been hacked you would be better off spending your time and money on doing the basics of securitye, as doing those things will greatly reduce the chances of the website being hacked. If your website has been hacked you would better off hiring someone like us that will actually clean the website up properly and fully stands behind their work instead of providing you with a misleading “guarantee”.

Sonatype Turns Their Distribution of Insecure Software Into Misleading Stories About Other Companies

When it comes to improving the security of websites, security journalists could play an important role, but they unfortunately do not seem to be interested in doing that. Instead they spend a lot of time spreading misleading and outright false information that comes from security companies. Often times, like a game of telephone, the information being provided gets more inaccurate as journalists repeat the claims of other journalist (in some instances without disclosing they are copying information from others).

A good example of that comes from something we had run across today. On ZDNet’s security blog the Zero Day (which at least previously was written by people that didn’t know what a zero day is) there is a post headlined “After Equifax breach, major firms still rely on same flawed software” with the sub-headline “At least seven tech giants still use the vulnerable software that hackers exploited to attack Equifax last year.” An obvious question would be what was the methodology used to determine that. If you read the post you will find out that it wasn’t actually determined at all nor was it claimed to have been. Instead what was measured was downloads of the software:

Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It’s often used to power both front- and back-end applications — including Equifax’s public website.

Downloading a vulnerable version of software doesn’t mean you rely or use it. For example, when we are dealing with hacked websites we might need to download older versions of software to use to compare the copy of the software on the website to a clean copy.

Later in the post it was mentioned that Fortune had reported on this prior to ZDNet:

Fortune was first to report the data.

The Fortune story has a more accurate headline “Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax”. Here is how they source that:

As many as 10,801 organizations—including 57% of the Fortune Global 100—have downloaded known-to-be-vulnerable versions of Apache Struts, the popular, open source software package that attackers targeted to loot Equifax, from March 2017 through February 2018, according to data from Sonatype, a Goldman Sachs-backed cybersecurity startup that tracks code pulled by software developers.

And here is how Sonatype determined that:

Sonatype was able to collect the data it shared with Fortune, Jackson explains, because it maintains a code repository, Maven Central, relied upon by many software developers as they build applications. When requests for code components come in, Sonatype is able to conduct reverse lookups on the requesters’ IP addresses, and thereby determine from which organizations they originated.

So Sonatype is the one distributing the insecure software to these companies and also tracking what they are downloading, which seems like it might be what those journalists might want to cover.