A Case Study in SiteLock Leaving a Website Insecure While Labeling It as Being Secure

When it comes to the security of websites we frequently see that while security basics are often not being done, security companies are pushing more advanced security products and services. Sometimes those two things come together, last month we looked at one cyber security company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites. As we mentioned in a post the other day, by comparison the web security SiteLock does keep the software on their own websites up to date, while leaving the software out of date on their customers websites that they are supposed to be securing. We ran across another example of that while looking at one of their case studies that is supposed to show how great their services are.

The case study is missing basics details that would be needed to understand what was actually going on and if SiteLock had done anything to actual secure the website. The post claims the website in the case study was targeted by cybercriminals, but they don’t even mention what type of attack there was:

When cybercriminals began to target Airspeed-Wireless.com last year, he became alarmed. Spiridigliozzi took an investigative approach and soon determined the attacks were coming from an IP address in Iran. His host-provided security options were limited so instead he blocked the malicious IP, hoping it would solve the problem. Unfortunately it did not and the hacking attempts continued.

Most hacks are not targeted, so it is entirely possible that what was actually happening was that website was being hit as part of mass hacks that wasn’t even trying to exploit vulnerabilities relevant to the website and there wasn’t a real threat.

Blocking IP addresses is not an effective security measure because if there is a actually a vulnerability then a hacker could easily get around it by simply using another IP address. It is important to note that the web host, the one that SiteLock says has limited security options, is Bluehost, which is not only a SiteLock partner, but it’s parent company, Endurance International Group, is run by the owners of SiteLock. SiteLock’s partners get paid handsomely for pushing SiteLock services, so providing a poor security options would likely be financial advantageous for them (that might be a good reason to avoid web hosts that have partnered with SiteLock).

The case study that then moves on to another website:

During the process Spiridigliozzi was attacked again, this time on a website he was developing. The new attack came from an IP address in Morocco. The hacker injected malware into the newly developed site and taunted Spiridigliozzi by engaging him in online chat.

There is no explanation as to how the website was hacked, which would be important information for people to know to protect their own websites and to determine if SiteLock could have actually prevented it and whether there might a more effective way to do that.

In the next section the tout their TrueShield Web Application Firewall:

SiteLock also wanted to provide Spiridigliozzi with a preventative solution. They installed the SiteLock® TrueShield™ Enterprise Web Application Firewall (WAF) on Airspeed-Wireless.com. This top tier WAF blocks bad bots, the Open Web Application Security Project (OWASP) Top 10 threats, backdoor connections and meets PCI standards.

First it is worth noting that contrary to how they promote the service, this isn’t actually their service, instead they just slap their branding on Incapsula’s WAF.

Next, just the other day we discussed an instance where one of their customers using the WAF was hacked again and they were told that they don’t cover backdoor access :

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

That obviously doesn’t match up with their claim in the case study that WAF blocks backdoor connections.

Then they claim that numerous threats were blocked:

Since it was installed, TrueShield has blocked 9,478 malicious threats, five SQLi attempts, and 27 visitors from blacklisted IP addresses.

What stands out is the fact that most of threats that were supposed be blocked are vaguely “malicious threats”, but a few SQL injections attempts are broken out even those would also be a malicious threat. That vagueness is important since the reality is that probably only a small fraction of one percent of hacking attempts have the possibility of being successful (many hacking attempts will involve trying to exploit vulnerabilities in software not being used on a website for example). A useful measure would how many of the blocked attempts would have actually lead to the website being exploited if not running through the WAF, SiteLock probably doesn’t have any clue as to that sort of things since they don’t actually provide that service.

The next section points to SiteLock odd idea of how to protect a website:

Spiridigliozzi is grateful for the upgraded security, “The SiteLock suite of security tools now allows me to be more proactive in preventing unwanted visitors and bots from accessing my website, the dashboard gives me an immediate indication of any problems and I also receive email alerts if there are any issues.”

If there is a vulnerability on a website the best way to protect against it is to fix it, trying to stop people that might exploit it is going to be harder to do and SiteLock doesn’t provide evidence of its effectiveness.

It turns out that the website is actually insecure now in an easy to check for way. It is running an outdated version of Magento with known security vulnerabilities:

sitelock-case-study-outdated-magento-version

Magento does provide patches for older versions, so an outdated version might be secure, but in this the website MageReport.com reports that the security patch that provides the same fixes as Magento 1.9.3 is not installed (both the security patch and Magento 1.9.3 were released on October 11):

sitelock-case-study-security-patch-8788-not-applied

SiteLock seems to be unaware of this as they are currently labeling the website as secure:

sitelock-case-study-insecure-website-labeled-secure

The Previous Case Study Is Running An Outdated Version of Joomla

In the case study that proceeding the one we just discussed, SiteLock promoted its scanning service:

The SiteLock 360-degree Security Scan was placed on bluedgebiz.com. As the name suggests, the scan provides a comprehensive scan of Wilson’s entire site. This includes a complete malware, network, spam, SQL Injection, and Cross-Site Scripting scan. With this scan, Wilson is alerted immediately if suspicious code or vulnerabilities are found.

In the past we discussed that we couldn’t find evidence that SiteLock was actually able to find vulnerabilities and a past commenter who had a gotten their scanning service ended up with their website hacked four months later. Both of which don’t point to this service being that great, but the other issue with this is that even if you are alerted vulnerabilities you would need to take action.

Clearly something hasn’t worked in the case of this website as the website is currently running an outdated version of Joomla 3.6.3:

sitelock-case-study-outdated-joomla-version

Version 3.6.4 was released on October 25. That version fixed “three critical security vulnerabilities” and by critical, Joomla really meant it in this instance as websites still running older versions (the vulnerabilities existed back to version 3.4.4) were quickly being exploited (it should be noted that Joomla provided a heads up to everyone four days before that version was released).

Looking At How SiteLock Sells Their Services Versus the Reality Behind Them

We recently have been taking a close look at the practices of the web security SiteLock after finding that not only were they providing poor quality services (as is par for the course for web security companies), but a lot of what they look to be doing falls more closely to outright scamming. We thought it would be useful to show how some of what we have found comes in to play to their interactions with a customer. To do that lets look at a recent complaint from one of SiteLock’s customers that hits on a number of issues with what SiteLock is doing.

After their website had been hacked in February of last year SiteLock sold them on one of their services:

[L]ast February we purchased “SiteLock Premium” for $500/year. I was told this was the best security product available. With it, I would have a firewall that would prevent any further attacks.  And since it runs “in the cloud” it would actually make our site faster. We were assured that SiteLock has never been hacked and even if we are hacked, our site would be cleaned.

There are a number of issues we see with that.

We are not sure how SiteLock’s website never being hacked (if that were even true) would mean that their customer’s website wouldn’t be hacked, but that would seem to require the same practices being done on both, but that isn’t the case as we will get to in a later in the post.

Then there is the issue that as best we can tell SiteLock’s web application firewall (WAF) isn’t actually their own, instead there are reselling Incapsula’s WAF service. That raises several issues. One is that SiteLock promotes the service as if they are providing it, if they would lie about that, you can reasonably wonder what else they are not being honest about. Since the service involves sending the website’s traffic through the CDN, that means all the traffic is flowing through a company the SiteLock’s customers are not even aware of, much less have a relationship with. Finally you have to wonder if SiteLock is even aware of how good or bad the WAF is at protecting against attacks, since it isn’t actually something they run.

Another serious issue is that SiteLock failed to do a basic part of a proper hack cleanup, making sure that they software is brought up to date. In this case the website is still using Joomla 2.5:

A Website That Is Supposed to be Secured by SiteLock is Still Running Joomla 2.5.28

That version of Joomla reached end of life on December 31, 2014 and therefore was not receiving further security updates. So any cleanup in 2015 should have included upgrading to a supported version of Joomla. (It is important to note that SiteLock is certainly not alone in doing this important part of hack cleanup, many providers cut corners like this.)

By comparison SiteLock does keep their website up to date. Both their blog and their WordPress focused sub-domain, wpdistrict.sitelock.com, are using the latest version of WordPress:

The SiteLock Blog is Running WordPress Version 4.6.1

SiteLock's The District Website is Running WordPress Version 4.6.1

Keeping the software running your website up to date is going to provide real protection, whereas other security services may not (we haven’t seen SiteLock present any evidence that their services provide better protection then doing the security basics). Its telling that SiteLock does that for their own website, but doesn’t for their customers.

More Money

One of the things we frequently see brought up with SiteLock is after purchasing one security services that was supposed to protect the website and then doesn’t, they want to sell your more expensive services (that was even mentioned by someone who praising their service (and then deleted their post for some reason)). Remember that this person was sold a $500 a year plan that they say SiteLock claimed was the “best security product available”, then the website got hacked again and they are pushing a $720 a year plan:

We were recently informed by SiteLock that our site had sustained a Pharma attack that had inserted links directly into our code. This attack could not be automatically cleaned their software could not remove the malware systematically without risking bringing down our site. The SiteLock technician suggested that we purchase their “Infinity Scan” product for $60 /month.  That product includes manual cleaning of our site.

Again there are multiple issues raised here.

You can start with the fact that SiteLock makes a big deal about their automated malware removal in their marketing material, but never mention that it can have the serious problem of taking down a website. It also seems to us that in an instance where it isn’t up to task they shouldn’t be charging extra to deal with the situation, as it is unable to do what it is promoted to do (and considering their track record you would also have to wonder if they sometimes claim it couldn’t to get more money from people).

The other troubling aspect of this is that they have a service that provides manual hack cleaning on a repeated basis. If a website is properly cleaned then it shouldn’t get re-hacked, so unless you are not taking basic security measures or get unlucky and have get hacked thorough multiple zero-day vulnerabilities in a year you shouldn’t need multiple cleanups in one year. The fact that they provide this would be a red-flag on it own that they don’t do proper hack cleanups, but we already knew that SiteLock doesn’t proper clean up hacked websites, so you don’t have to wonder about that.

What would seems to have happened here seems to be another example of that. So how did SiteLock explain how the website was hacked again after they were brought in:

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

The backdoor access must have either existed when SiteLock was first brought in to deal with the website and should have been handle during the cleanup or was gained after the were supposed to protecting the website. In either case we don’t understand how that wouldn’t be on them. The explanation seems to be that since things were set up correctly it couldn’t be their fault, which doesn’t make any sense to us.

Also worth noting here is that their web host, Bluehost, who pushes SiteLock services as one of their “partners”, is ultimately run by the owners of SiteLock and looks to be getting a majority of the money from services sold through their partnership (which explains the high price of SiteLock’s services and the low quality for the amount paid). That isn’t something they publicly disclose and something that one of the other web hosting owned by the same company, Hostgator, wouldn’t even acknowledge is after it was pointed out those facts were coming from their parent company.

WordPress Giving Legitimacy to SiteLock By Allowing Them to Sponsor and Attend WordCamps

As we have continued to hear more troubling stories from the public about the web security SiteLock’s business practices and seen the damage they can cause, we have been very troubled that other organizations would provide them with legitimacy by getting involved with them.

One set of organizations is the various web hosts that had partnered with them. We recently found that the CEO of the parent company of many of those web hosting partners is also the owner of SiteLock, so it isn’t surprising that those web hosts wouldn’t have a problem with what is going on since their CEO is in on it. It would seem the others are getting paid handsomely to help them out.

Due to SiteLock discovering a couple of vulnerabilities in WordPress plugins some time ago, we had started following their blog for Plugin Vulnerabilities service. While no more vulnerabilities were disclosed on the blog, we did start noticing that they were sponsoring and attending quite a few of the official conferences for WordPress, WordCamps (and oddly giving presentations unrelated to security, including Creating a Digital Download Business – What to Sell, How to Sell It and Shortcuts to Success. and Contact Forms are Boring – 5 Creative Ways to Use Forms in WordPress.). That seems like a really bad idea, considering that imprimatur of WordPress is then connected with this company, provided them legitimacy they shouldn’t have.

There is also the issue that money that SiteLock makes taking advantage of people funding these WordCamps, which seems to be reasonable to consider as a moral and ethical issue.

It also doesn’t seem to be great idea to have a company that has shown that they lack a basic understanding of how WordPress responds to security isues, leading them falsely claim that WordPress website contain critical vulnerabilities, involved with WordPress events.

Just in the next couples of weeks SiteLock is sponsoring WordCamps in Pittsburgh, Raleigh (with a presentation also not security related, Using Curated Content in WordPress—Why and How), and Dallas. They are also a sponsor of the WordCamp for the whole US in December.

We would like be able to give you WordPress and WordCamp’s side of the story as to why they have are involved with SiteLock, but it has been a week since we contacted them with the following email asking for comment and we haven’t received any response:

We are writing a post about the fact that the security company SiteLock is being allowed to sponsor and attend numerous WordCamps despite be well known for taking advantage of its customers.

We first became aware of their practices after we had written a number of posts about other issues we had noticed involving them and then we started getting contacted by people who had been take advantage of by them, http://www.whitefirdesign.com/blog/2016/05/03/it-looks-like-sitelock-is-scamming-people/. There are a litany of complaints that can be see if you do a search on Google for something like “SiteLock scam”, including this page with numerous complaints https://sitelock.pissedconsumer.com/. While some of the complaints seem to be unfair to them, there is a pretty clear pattern of actions that seem quite problematic, to say the least.

We would like to include in our post any comment you might have as to why they are allowed to sponsor and attend WordCamps in light of that, so that the public has a better understanding of why WordCamps would get involved with such a company and take money that has been made by taking advantage of people. We would also like to include in our post any comment you might have as to any restrictions you place on what kinds of companies can sponsor and attend WordCamps.

If they were not aware of SiteLock’s reputation before, it seems that could have at least indicated that and that they reviewing things, but the lack of response points to them being aware of what SiteLock does and being okay with being involved with them.

If would like to let them know how you feel about that you can contact the central organization for WordCamp’s here. You also might want to contact ones happening locally that SiteLock is involved in, to see if they are aware of what one their sponsors is up to.

Hosting Recommendation Too

This isn’t the only Sitelock connection with WordPress. As we discussed in a recent post, one of the owners of Sitelock is also the CEO of a major web hosting provide, Endurance International Group. Endurance has many brand names they provide web hosting under, one of those being Bluehost. Bluehost has come up repeatedly in complaints about Sitelock. Bluehost is also one of the web hosts listed on the Hosting page on wordpress.org:

wordpress-bluehost-hosting-recommendation

That page has a top level menu link of the website, so we would assume that brings in a lot of business to them.

One of SiteLock’s Owners is Also The CEO of Many Of The Company’s Web Hosting Partners

SiteLock is a web security company that we had originally became aware and wrote a number of posts about due to our seeing the poor quality of their services when working on client’s websites that had previously used their services. Due to those posts we started started getting contacted about more serious issues with them, namely that in a lot of cases they seem to be scamming people. One of the things that has stood out to us in looking into the situation was the fact that so many web hosts have partnered and continued to stay partnered with them. Was the money that we assumed SiteLock was paying them for the partnership worth the damage to their reputation, seeing as in complaints about them the web host who had partnered with them is frequently brought up?

In looking for some information for another post about the company we ran across the fact that the CEO of a major web hosting provider is also the one of the owners of SiteLock (the other owner is a director of the same provider), which does a lot to explain their partnerships and also raises even more question as to the probity of what is going between them.

On the about page of SiteLock’s website there is no mention of the ownership of the company, doing a Google site search of their website didn’t bring up any mention of either of the two entities that appear to be their parent company.

On the website of one of those, UnitedWeb, SiteLock is shown as one of their brands of the company, while the web hosting companies Endurance International Group and IPOWER are listed as public companies:

unitedweb-brands

The connection between of all of those entities isn’t clear based on that, though.

A little searching brought us to this page that seemed to point to a direct connection between SiteLock and Endurance International Group, which with more checking seems to be confirmed. In Endurance International Group latest quarterly report it states that:

The Company also has agreements with Innovative Business Services, LLC (“IBS”), which provides multi-layered third-party security applications that are sold by the Company. IBS is indirectly majority owned by the Company’s chief executive officer and a director of the Company, each of whom are also stockholders of the Company.

What is Innovative Business Services? That is the entity that owns SiteLock (referred to as a member on that page). So the CEO and a director of Endurance International Group are the owners of SiteLock.

It not clear where UnitedWeb falls in that, but it looks like it might be the owner of Innovative Business Services, and then in turn that is owned by the CEO and directory of Endurance International Group.

Unless you are very involved in website hosting you probably don’t recognize the name Endurance International Group, but they own many well known web hosts. The brands page of their website they highlight some of the more high profile ones including A Small Orange, Bluehost, FatCow, HostGator, iPage, and IPOWER:

endurance-international-group-brands

But that just scratches the surface, here is the all of their current brands (most of them appear to be web hosting companies) as listed on the Wikipedia page for the company:

  • 2slick.com
  • AccountSupport
  • Arvixe LLC
  • A Small Orange
  • ApolloHosting
  • AppMachine
  • Berry Information Systems L.L.C.
  • BigRock
  • BizLand
  • BlueBoxInternet
  • BlueDomino
  • Bluehost
  • BuyDomains
  • CirtexHosting
  • Constant Contact
  • Directi
  • Dollar2Host
  • Domain.com
  • DomainHost
  • Dot5Hosting
  • Dotster
  • easyCGI
  • eHost
  • EmailBrain
  • EntryHost
  • Escalate Internet
  • FastDomain
  • FatCow
  • FreeYellow
  • Glob@t
  • Homestead
  • HostCentric
  • HostClear
  • HostGator
  • HostNine
  • HostMonster
  • HostV VPS
  • hostwithmenow.com
  • HostYourSite.com
  • HyperMart
  • IMOutdoors
  • Intuit Websites
  • iPage
  • IPOWER/iPowerWeb
  • JustHost
  • LogicBoxes
  • MojoMarketplace.
  • MyDomain
  • MyResellerHome
  • MySocialSuite
  • NetFirms
  • Networks Web Hosting
  • Nexx
  • PUBLICDOMAINREGISTRY.COM
  • PowWeb
  • PureHost
  • ReadyHosting.com
  • ResellerClub
  • Saba-Pro
  • SEO Gears
  • SEO Hosting
  • SEO Web Hosting
  • Site5
  • Southeast Web
  • SpeedHost
  • Spertly
  • StartLogic
  • SuperGreen Hosting
  • Typepad
  • Unified Layer
  • USANetHosting
  • vDeck
  • Verio
  • VirtualAvenue
  • VPSLink
  • Webzai Ltd.
  • WebHost4Life
  • webhosting.info
  • Webstrike Solutions
  • Xeran
  • YourWebHosting