The Poor Quality of Web Security Products and Services Can Lead To a False Belief That Websites Have Been Hacked

We think a baseline requirement for using any web security product or service that claims to protect websites should be that there is evidence that the service is effective. That would preferably be evidence from independent testing. What we have found though is plenty of products and services not only don’t provide that, but their marketing materials actually indicate that the services fail to secure websites. For example, SiteLock’s idea of security seems to revolve around dealing with after effects of websites being hacked instead of stopping them from being hacked in the first place, which isn’t security.

Even with what SiteLock claims to do instead of securing the website, they don’t provide evidence they are effective at it. We have seen plenty of evidence to the contrary. The latest example is also a reminder of another issue we sometimes see with security products and services, they lead to people falsely believing that their website has been hacked, so instead of securing a website they lead to people to believe that the website insecure. That might be good for security companies since it can mean more businesses dealing from dealing phantom hacks and more fear leading to more purchases of services that don’t have to work, but it, like so much else from the security industry, is bad for everyone else.

The other day we were contacted by someone using SiteLock’s services, for a second opinion on a claim from them that a website was infected with malware. We were sent the following screenshot from SiteLock’s website:

While that does claim that the website contains malware, the signature listed, SiteLock-HTML-SEOSPAM-fkl, seems to actually indicate that there was spam content detected. From what we have seen SiteLock labels any indication that a website has been hacked as malware. We don’t know if they don’t what malware actually refers to or if this is done to make what they are detecting sound more concerning than it really is, but it is sometimes very misleading. In this case they also make this sound very concerning by claiming the severity is “Urgent”.

The sample provided for the supposed issue doesn’t appear to be related to malware or spam. Instead it is just shows a link to another page on the website and harmless HTML code generated by the WPBakery Page Builder plugin for WordPress. We also didn’t find any other indications of a spam hack on the website, so this “Urgent” situation seems to really be a false positive.

Considering that their service is supposed to provide “security” by detecting and removing malware, the poor quality of their scanner makes it unlikely that they could even accomplish effective detection, much less effectively remove what they find.

This was apparently the third time that SiteLock had claimed that there was malware on the website, based on the quality of the claim in this instance, it seems unlikely it was the only false positive.

You Also Shouldn’t Be Relying On SiteLock to Clean Up Hacked Websites

Part of what makes us have such disgust at so much of what goes on in the security industry is that we see the damage that so many of the people and companies in it cause, over and over. Just yesterday we were discussing the mess caused on one website by Sucuri’s poor attempts to secure and clean the website. That isn’t an isolated incident with them and it isn’t justified in anyway, instead that is the type of company that shouldn’t even be in business since they either are simply unable to do the work they claim to be able to do or intentionally don’t things right. That not only harms their own customer, but they make everyone less secure by spreading false information and doing things that make all website less secure (like not determining how websites are hacked, so that unfixed issues can be resolved). They are not alone in this.

Just a couple of days ago we got yet another example of that type of issue with a company named SiteLock, which also isn’t an isolated incident when it comes to this particular company. In this case they were hired to clean up a hacked website. After the clean up, there were errors and the owner of the website was unable to edit the website (possibly because of the web application firewall that was put in place on the website, which isn’t an isolated issue with WAFs). When SiteLock was contacted about those errors they said that there now was more malware on the website and an additional fee was going to be needed over the $500 just paid, to deal with that.

If you just cleaned a website and there is immediately malware on it again, that means you didn’t get things properly cleaned up the first time, so charging more money to deal with that seems highly inappropriate to us. It certainly isn’t something we would do.

An easy way to avoid ending up in situation like this is to avoid hiring SiteLock. We can’t emphasize enough how many problems we have seen caused by this company that we have dealt with over the years that should have never happened if they had an interest in doing things right.

The Truth Behind Conflicting SiteLock Reviews

Recently something we had written about the web security company SiteLock was linked to in thread that starts out with someone discussing the conflicting reviews of SiteLock:

Just had a word press site hacked. Out host suspended our site and recommended site lock to clean it up. I looked at online reviews of their service. There are reviews that say they’re good, and reviews that say they are a scam. They say that you pay to have your site cleaned and then monthly to protect it. There are numerous reviews saying that even with the monthly fees, their sites still got hacked, and they were charged hundreds of dollars to fix it again. If these reviews are true, I want a better solution. What would you do? Are the reviews true?

As we monitor the reviews of SiteLock to keep track of what they are up to since we are frequently contacted by people looking for help after being contacted by them or having hired them, we thought it would be worth touching on what explains those conflicting reviews.

Positive Reviews

The positive reviews of SiteLock mostly fall in to two categories. The vast majority of recent reviews are by people that are pushed by SiteLock to provide a review after any interaction with them. We really do mean any interaction. Here for example are two reviews shown on the review website consumeraffairs.com from the same day, giving SiteLock five stars for helping them to update credit card information:

I contacted SiteLock because I needed to update my credit card information. I was delighted by the speed and helpful service I received from the support team. I would highly recommend SiteLock for their valuable products and services, which are consistently stellar.

Tyrell was very helpful in walking me through updating my credit card billing information online. He was also very courteous and patient while he waited as I entered my information. It would be a pleasure to work with Tyrell again.

That doesn’t seem like something people would do on their own all that often. More importantly, that really doesn’t tell you anything about how good or bad the service is, just that this company is interested in making sure it keeps getting paid.

It isn’t even clear that the people leaving those reviews would be aware of that website as a company that pays consumeraffairs.com a monthly fee, as SiteLock does, is provided various methods to have reviews collected:

ConsumerAffairs also helps Accredited Members collect reviews through Facebook, email, feedback cards, targeted phone calls and through its website.

Well come back to what else that SiteLock’s paying that website provides them in a bit, but first there are second set of positive reviews. Those largely look to be made up of people who generally believe that SiteLock is providing a good service and have left a review on their own. Considering that even many people in the security industry don’t have a good understanding of security, it wouldn’t be surprising to hear that these positives reviews from the public are not necessarily providing a good picture of what SiteLock really provides. For example, one five star review of SiteLock we used as an example of that last year, actually indicated that SiteLock was leaving a website insecure. That isn’t surprising since as we mentioned more recently, SiteLock’s own marketing material indicates they think that security doesn’t involve keeping a website secure, but dealing with the after effects of leaving it vulnerable.

Negative Reviews

If you were to look at the most recent one star reviews of SiteLock on consumeraffairs.com what you would notice is that you have to go back months to see one where the one star rating is shown. The most recent ones either say “Insufficient response received” or “No response received”. The reason for that is that by SiteLock being a paying customer of consumeraffairs.com they can challenge reviews and they in fact have challenged every single recent negative review. The reason for that is that by doing they can get the low ratings excluded from the overall rating:

While ConsumerAffairs never changes star ratings at a company’s request, a consumer may choose to change a star rating after resolving a complaint. In addition, if a consumer does not respond to a request for more information, or the consumer’s complaint is resolved privately with the company, or the factual basis for a complaint is unresolved, the consumer’s star rating may not be displayed and will not be included in a company’s overall star rating.

The business model of that website and other review websites looks to be built on companies paying them to present a positive image of the company.

What seems to be a telling indication that negative reviews are the ones of value is that all the most helpful reviews are currently negative ones.

That doesn’t mean that those reviews are accurate either. Just as the natural positives reviews can be inaccurate due to a lack of understanding of security, plenty of the negative reviews we have seen are also inaccurate. For example, we have seen numerous negative reviews that claim that SiteLock hacked websites. We have also had people contacting us that claim the same thing. We have never seen any evidence to support that despite it being such a serious allegation and plenty of evidence to the contrary.

If you want to a summary of what SiteLock really offers, this review on consumeraffairs.com from May 23 does a great job of that:

It’s my opinion that SiteLock is exhibiting predatory sales tactics. In my case they sold me on the service to monitor and protect my website from malware for a subscription fee. They are aggressive. But the worst part is that malware infected my site again and I called SiteLock for help since I’m a paying customer. Even though they originally sold me on the effectiveness of their products they told me they were not going to be able to remove the new malware and it would cost $300 to remove it. They also were trying to sell me on more services. It’s just my opinion but then I believe they set up a system to catch people when they are most vulnerable then charge them a lot to get their website working again. The support people that I talked to are salespeople. Look elsewhere folks. Save yourself the wasted time, money and the headaches that come with choosing the wrong company to protect your website.

One thing that we would note about that is that we are not aware of any company that provides a service that will provide effective protection of a website. If you are looking for something like that we would recommend instead you do the things that are going to actually keep your website secure, but otherwise you would want to look for one that present evidence, preferably from independent testing, that shows that is effective (if someone finds a company that provides that we would love to hear about that).

If your website is already hacked, before focusing on the things that will protect it going forward, it should be properly cleaned, which involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

From what we have seen SiteLock usually doesn’t attempt to do the last two and doesn’t do all that good a job of the first. Unfortunately, based on our experience frequently being brought in to re-clean up hacked websites they are far from the only company that is not even attempting to properly clean up hacked websites.

That SiteLock doesn’t attempt to determine how websites were hacked explains in part why they are not good at protecting websites from being hacked either as they wouldn’t even know what to protect against.

Here Is How SiteLock Tries To Mislead People with Their Meaningless Attacks per Day Stat

We frequently have people contacting us looking for help after they have been contacted by the web security company SiteLock, through that we often hear bit and pieces of the misleading and outright false claims they frequently make. Recently we have been sent complete sets of communications between them and the people they were trying to take advantage of. There are a number of things we have noticed in those that seem worth touching on, but we will first start with something related to something we discussed in another blog post a month ago.

This comes from an email conversation with a SiteLock “website security consultant”, which is really just a commissioned sales person. You can probably guess from that how misleading the title is from what the person really does that what they are telling people also isn’t truthful.

Here is a claim that the sales person made:

You have been very blessed if you site has not been hacked for 6 months as a typical website faces 44 attacks a day. With out the proper security any and all of those attacks can effect your site.

When we discussed that stat last month we noted that what would relevant would be how many successful attacks there are, not how many attempts there were. As we also noted then, SiteLock’s president actually claimed they were able to determine what were successful attacks:

As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks.

If they truly know that (it seems like they probably didn’t, but were claiming otherwise to make a reduction in claimed average attacks sound scary) why wouldn’t they let people know how many successful attacks there are seeing as those are what what actually matter? An obvious answer would be that successful attacks are incredibly rare. It isn’t like the average website is being hacked once a year, much less multiple times a day as the sales person’s claim implies is possible.

In the rest of the email no evidence was provided that the $99 a month service they wanted this person to purchase would do anything to protect the website from being hacked and they even promoted that the service includes unlimited cleanups, which wouldn’t be needed if the service actually protected the website since it shouldn’t be needed to be repeatedly cleaned up if the services actually secured the website. Based on their marketing material it seems that SiteLock believes that a security service shouldn’t actually be able to secure website against being hacked, which in way makes sense since simply doing the basics is what will actually provide real security.

Just Because SiteLock Is Trying To Con You Doesn’t Mean Your Website Hasn’t Been Hacked

In interacting with people about hacked websites one of the things that comes up frequently is people conflating security companies trying to take advantage of them with a belief that their websites haven’t really been hacked. A lot of the blame for this resides with the security companies that are trying to take advantage of people (and look to be very successful at it) and others that help enable that, which includes their business partners and government entities that don’t take any action against them. But some of the blame has to be placed on customers of these services that seem to take a completely uncritical view of these services, as among other things, their funding of these companies allows the companies to expand and take advantage of more people.

As an example of that, we had someone contact us recently after they ran across a post we had written how the web host Bluehost was continuing to try to sell SiteLock services based on claims that were made in phishing emails meant to look like they came Bluehost support. The situation this person had was very different than that.

They had been contacted by a company informing them that their website was being used for phishing. Their web host, Bluehost, which is a SiteLock partner, had suspended their account for the same issue. They said they were “shocked” because they had SiteLock on the account and they thought that with that the website wouldn’t have been able to be hacked.

As company that deals in the field we obviously have a very different view of things, but it still is hard to understand a view like that when you consider that SiteLock and every other similar company we have run across don’t provide evidence that their services are effective at protecting websites. To us that seems like a baseline before purchasing any service like that, but clearly it isn’t.

The next part of the story is something that we have heard plenty of times before, but it still doesn’t make much sense to us. That being that they were then told they would need a higher level of SiteLock service to protect against the issue from happening again. To us that raises what seem to be some obvious questions, like why would SiteLock by their own admission be selling security services that don’t actually provide security. Another one would be why would at that point people still not expect some evidence to presented as to the effectiveness of the services considering SiteLock have just admitted that they are selling services that don’t actually work.

When we had responded explaining about that lack of evidence that SiteLock services are effective (along with plenty of evidence to the contrary that we have run across) and that SiteLock’s own marketing indicates that they are not even attempting to provide real security the response from the person was not concern with SiteLock’s practices, but that the whole situation seemed suspicious. We asked about the evidence presented that the website had been using for phishing, but the person seemed uninterested in actually checking over things. Based on past experience our guess is that the website was actually hacked in this case.

Dealing With a Possibly Hacked Website

While in this case we guess the website had actually been hacked, we have run into plenty of instances where SiteLock and their web hosting partners are falsely claiming that websites have been hacked. So what we recommend you do in that situation is get a second opinion on their claim. We are always happy to provide that for free and would hope that other reputable security companies (to the extent that there are any) would do the same.

If the website is hacked what you want done is to have it properly cleaned up, which involves cleaning up the hack, securing the website (which usually mainly involves getting the software up to date), and trying to determine how the website was hacked and fix that. If a service doesn’t do those things (as is true of SiteLock’s main services) then you stand a decent chance of having continuing issues. After things have been cleaned, instead of paying for a security service that won’t protect your website, you should make sure to do the basics to keep your website secure from most issues.

Somehow SiteLock Got a Five Star Review for Failing to Properly Clean Up a Website Multiple Times

When it comes trying to find a company to help you deal with a hacked website, one of the big problems is that many people providing reviews and recommendations don’t actually have a good idea of what a proper hack cleanup service would entail. We have had people that come to us re-clean websites, who after we ask if the previous company had determined how the website was hacked, tell us that trying to do that never came up, but the company did a good job. The fact that the website needs to be re-cleaned seems like it might be an indication that they didn’t actually do a good job, but what tells us for sure that they didn’t do a good job is that they didn’t try to determine how the website was hacked despite that being one of three basic components of a proper cleanup. In our experience a lot of companies fail to attempt to do two of the three components of a proper cleanup (the other being securing the website, largely by updating the software), which makes it not all that surprising that we have a lot of people coming to us to re-clean websites.

With one company trying to find an accurate assessment is hard as they have flooded review sites with positive reviews of little value. That company being SiteLock, which otherwise has a rather bad reputation. That bad reputation is due to their business practices, which are even worse than the usual bad practices of the industry. Instead of trying to improve them, which might not be possible since without misleading and greatly overcharging people they likely wouldn’t be able to sustain their business due to the poor quality of their offerings, they have focused on pushing people to leave reviews right after having an interaction with them.

One review from last week that we ran across really stands out for that. The review was one of two five starts reviews left by this person in the same day.

The first one is rather vague:

certainly professional and extremely responsive to my problems….highly recommend!

The second one is more specific:

I have had to request three successive cleanings (all in one day) to hopefully resolve a malware problem – this particular malware was very persistent and difficult to eradicate. Each time I requested a repeat service, they did not hesitate or put me off – they worked the problem with professionalism, and for that I am very appreciative. Thank-you.

That they failed to clean things up fully at least twice (it is entirely possible the issue still hadn’t actually been resolved and even the review just says that it was “hopefully” resolved) seems like it should be a negative, but somehow that is treated as positive.

Maybe it says something about SiteLock’s targeted customer base that they are “appreciative” of someone doing what they were already paid to be doing.

The reality here is that from what seen of SiteLock, they don’t properly clean up websites, including skipping those two components of a proper cleanup, so the situation where the issue wasn’t resolved multiple times isn’t surprising. Cutting those corners wouldn’t be what we would describe as professional behavior.

Down the road the results can be worse, below is a review left on another review website, consumeraffairs.com, from just a few days ago, which is in line with we have heard repeatedly about SiteLock:

My website was hacked about 3 months ago. I signed up for Sitelock services as they promised me that they would clean my website from all malware and make sure that it wouldn’t be back. They explained to me that the hackers had found a back door and they were going to repair all the files and make sure that they wouldn’t find their way back in. They did clean my website and it was up and running well after about 48 hours. Their customer service reps and technical reps are very nice and sound very knowledgeable. Their service is not cheap at all but I thought that for $50 a month, I was now covered… 3 months later, I suddenly couldn’t log in onto my admin panel. My access was “forbidden”. I contacted them many times (as well as my website host) with no answers at all from Sitelock. No one contacted me back…

Fortunately, after about a week, I was finally able to log in but with no explanation. Three weeks after this first incident, the same thing happened again. When I called this time Sitelock (instead of contacting them online with no response) the rep told me it was probably a problem with my host server. After spending 1 hour with my host server, I was told it was something else. I contacted Sitelock again, this time to be told that my site had been hacked again: the first hackers had “reopened” the back door (that Sitelock was supposed to have found and closed) and this time wanted total control of my site.

They could remedy this if I pay $45 additional a month. I am totally in disbelief and refuse to pay this additional fee as I really think that this is their fault if I was attacked again. They didn’t protect my website sufficiently as they promised they would. I am extremely unsatisfied at this point. I still cannot log into my website but I don’t want to pay another dollar for a service they didn’t render. In the meantime, I’m stuck and pissed off!

Considering that SiteLock’s idea of website security doesn’t involve actually securing websites, what happened there isn’t surprising.

Based on everything we have see the likely reason why this person was told they would need to pay more to remedy the situation is that when you get in touch with SiteLock you are usually dealing with a commissioned sales person, not a technical person, so they don’t have the capability to resolve an issue and their interest in getting you to spend money with them or in the case of existing customers, more money (we have seen that done up to level of trying to sell someone a cleanup for a website that wasn’t hacked).

What is also interesting about that situation is that there was a belief that the cost of the service was indication of the effectiveness as opposed to some actual evidence that the service was effective (which we haven’t seen SiteLock or providers of similar ever provide despite making incredible claims about the security their services are supposed to provide).

SiteLock and Sucuri Inaccurately Portray Hidden Spammy Content on Website as Malware

We frequently have people contacting us for a second opinion on claims from the security company SiteLock that their websites have been hacked. To be able to provide that we ask for the evidence being presented by SiteLock to back that claim up. An important reason for doing that is that SiteLock appears to refer to anything they detect as possibly being an indication of a hack as malware, even if it isn’t malware.

Malware is short for malicious software and can accurately refer to one of two things when it comes to websites. The first being malicious code being served from a website and the second being malicious code located in a website’s files or database.

One reason why they might refer to any indication of a hack as being malware is to make the issue sound more serious than it really is and make you more likely to pay them for some security service. As an example of that, in one instance where we were contacted about a claim of theirs, what they were claiming was “critical” severity malware was just a link to another website. What was even supposed a problem with the link, which was included with a comment on a blog post, wasn’t clear since the domain name of the website being linked wasn’t registered anymore, but saying there is an issue with a link would sound a lot less concerning than “malware”.

Someone that they recently contacted with a claim that their website contained malware, had also been told by the SiteLock representative that called them that Google would “shut down” their website due to the issue. In reality Google doesn’t shut down websites and since the issue wasn’t actually malware they wouldn’t even block access to the website if they had detected the issue.

That person had then run the website through the Sucuri SiteCheck scanner, which also claimed the website contained malware. Sucuri also goes the over top in making issues seem as bad as possible to sell their service:

The small text there states:

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

What they actual identified there is what we would describe as hidden spammy content, which is a less serious issue than malware. It also didn’t contain any code, JavaScript or otherwise, despite Sucuri labeling it as “Known javascript malware” and stating that “Malicious Code Detected”.

While Google might penalize a website for that hidden spammy content like that, it isn’t going to do any harm to people visiting the website.

If you visit the link they provide for the details of that type of issue, http://labs.sucuri.net/db/malware/spam-seo.hidden_content?24, the description doesn’t mention “malware”, but does mention “hiding spammy content”:

Hiding spammy content (links, spammy texts, etc) on legitimate web pages is a common black hat SEO trick. It helps use existing site pages in black hat SEO schemes while keeping it invisible to site visitors and webmaster.

There are many techniques that help hide certain parts of a web pages. Most of them include either CSS or JavaScript. The simples is placing spammy content inside a div tag with the display:none; style.

Another interesting similarity between those two companies, which seems like it ties in to the overstated impact of the real issue on this website, is that security services provided by both SiteLock and Sucuri don’t seem to be focused on actually securing websites. Instead they seem to be more focused on trying to deal with after effects of the website having been hacked after having left the websites insecure. That all could be an indication the companies don’t have a good understanding of what they claim to have expertise in or that they are just interested in trying to get as much money out of people instead of being focused on improving security.

This Review Seems Like Evidence That SiteLock’s Vague Emails About Supposed Vulnerabilities Are Just a Marketing Ploy

On a fairly regular basis we are contacted by people looking for advice after being contacted by the security company SiteLock. From what we have seen a lot of the claims that SiteLock and their representatives make are misleading or false and seem to be intended to get people to sign up for unneeded services.

In some cases the claims are obviously false, like when they falsely claimed that a website contained “critical” severity malware due to having a link to an unregistered domain name.

In other cases the claims sound impressive, but they fall apart upon inspection. That was the case with SiteLock’s “likelihood of compromise” scores, which are promoted as being based on “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. When a Forbes contributor reached out to SiteLock for an explanation on how their website that supposedly had a “Medium” “likelihood of compromise” could even be compromised in way that was considered by SiteLock’s analysis, they claimed they would and then stopped responding:

When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

One of the claims we have yet to see any evidence that there is any basis behind it, are claims that websites have some undetailed vulnerability, which are made in emails like this:

Because website security is important, your hosting provider has provided you with a complimentary scanner from SiteLock that proactively checks for malicious threats and vulnerabilities. This scan regularly reviews your website plugins, themes and content management system (CMS) for potential vulnerabilities.

During a recent scan, a vulnerability was detected on your website.

For details on the findings, including the location of the vulnerability and remediation options, please contact SiteLock today. We would be happy to walk you through your dashboard and talk to you about next steps. Our security consultants are available 24/7 to answer your questions.

Call 844-303-1509 or email support@sitelock.com

A recent positive review of SiteLock we ran across certainly seems to give more weight to possibility that there really vulnerabilities that they have discovered. Here is the review:

I responded to your email letting me know I had vulnerabilities on my websites. After our conversation everything was taken care of to thwart those vulnerabilities with your premium firewall. David was very helpful in making me understand how the firewall will benefit me. Thank you!

If there were really were vulnerabilities, what would need to done to take of the vulnerabilities would be to fix them. A firewall wouldn’t fix them. At best it might limit the ability to exploit them, but SiteLock doesn’t provide evidence that their TrueShield Web Application Firewall is effective at all (they might not have any idea if it is since the service is provided by another company, something they lie about) and in some cases that type of firewall can be easily bypassed entirely. It also worth noting here that as far as we are aware when you get in touch with SiteLock you are talking to a commissioned sales person, not a technical person with security expertise, so they likely wouldn’t know if what they are selling someone is actually beneficial or not to that person.

What we previously have seen with this type of email made it seem like the claims could be baseless, as among other things they have even sent message where the didn’t even say what website was supposed to have been impacted. The review seems in line with that, as it looks like it is just a way to get people to contact them and then sell them on security services that are not actually even focused on protecting websites from being hacked.

As we said the last time we mentioned these emails, you could probably safely ignore these messages, but if you want extra assurance you could contact SiteLock and ask for evidence of their claim (though we have heard in the past that they wouldn’t provide that) or check to make sure you are doing the important things to keep your website secure, like keeping your software up to date. While we don’t recommend it, we also offer a security review to check over things like if software you are using is known to be insecure.

SiteLock Admits To the Meaningless of Website Attacks Stat, While Still Promoting It

Recently we have put forward the idea that a way to better understand the poor state of the security industry is to think of it as the “insecurity industry”, as much of the industry is not interested in actually securing websites, but instead on selling people on the idea that they should be buying expensive security services without an expectation that they will actually provide effective protection. One company that really exemplifies that is SiteLock. Just a couple of weeks ago we discussed how they promote their service in way that indicates that it doesn’t actual protect websites, as they portray that instead of keeping websites from being hacked they provide incomparable security by being better able to deal with the after effects of leaving websites vulnerable to being hacked (though they didn’t provide any evidence they are even good at what they claim to be able to do).

One of things we mentioned previously as part of what defines the “insecurity industry” is selling people on the idea that websites are under constant attack. That is something that SiteLock frequently brings up. For example, in a press release from March 12 they claimed:

The average website is attacked 59 times per day, which is up a staggering 168 percent from the previous year.

If you think about for a second though, that doesn’t sound like a meaningful statistic since the average website isn’t being hacked 59 times a day or even once a day.

A couple weeks after that press release, SiteLock had a bit of a problem as their latest claimed stats indicated that attacks were down:

Websites experienced 44 attacks per day on average in Q4 2017, a 25 percent decrease from the previous quarter.

Part of the way they tried to downplay that was to extrapolate out that number over a year (despite knowing that the number is variable):

Despite this decrease, a single website can still experience 16,000 attacks in one year alone.

As far as we are aware the average website isn’t being hacked once a year even, so once again the stat is rather meaningless.

Next up they downplayed it by saying the number of attacks isn’t actually meaningful:

“A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite,” says Neill Feather, president of SiteLock. “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.”

So if attacks are up you should be concerned, if attacks are down you should be even more concerned, it is almost like the number of attacks isn’t meaningful at all.

That claim sticks out considering that they are still make a big deal of the number of attacks. They even created a graphic in that very post highlighting the number of attacks:

What would be a relevant stat would be how many successful attacks there are. The quote from the President of SiteLock indicates they would know that, “our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks”. We doubt they actually do, but assuming they did, telling people the truth, which is that the successful attacks are very uncommon, would get in the way of scaring people. So how uncommon? From everything we have seen we are talking about an incredible small fraction of one percent of attacks that are successful.

Another part of the about the quote from the President of the company that sticks out to us is “businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur”. This gets to the idea of the “insecurity industry” because the expectation that even though you have the “right technology” (that is paying SiteLock or somebody else for a protection service) you should be assuming you are going to get hacked anyway. The reality though is that if you do the basics of security you can prevent most hacks (even ones that advanced security products fail to protect against). In some cases though doing the basics won’t protect websites from hacks in part due to things that SiteLock and other security companies are doing that they shouldn’t and thing they are not doing, but should be doing (like failing to determine how websites they are cleaning up have been hacked).

Part of the next paragraph after his quote is in line with selling insecurity as security:

Additionally, a website scanner can find malware on your site, helping to mitigate threats in real time.

If you are finding malware on a website you are past the threat stage and have already been exploited. Unless a malware scanner is running constantly, it is likely wouldn’t help in realtime and we haven’t seen any evidence that any malware scanner is all that effective at detecting malware (SiteLock has promoted theirs with bogus independent testing). Selling people that detecting malware on a website isn’t an indication that a security product failed, but it is working, is exactly is exactly what the “insecurity industry” is.

Beyond scaring people, another reason why a company would put out stats like this is to get press coverage, since journalists will run with this type of thing even if the data is of questionable value (we have seen plenty of instances where security journalist have run with wholly false claims, including from SiteLock). You might think that a journalist might notice that SiteLock is even saying the stat isn’t meaningful here and not run with it in this instance, but that didn’t happen. Among them, the Washington Post ran with it with the headline “A typical small business website is attacked 44 times a day” and Tech Republic “The average SMB website is attacked 44 times per day”.

This Looks Like It Might Be Another Instance of SiteLock Partnered EIG’s Apparent Security Issue

A week and half ago we discussed a situation where there looked to be at least a hacker specifically targeting websites hosted with web hosting company EIG, which does business under the brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The more concerning possibility is that the hacker wasn’t just targeting websites hosted with EIG but taking advantage of some security issue within their systems to breach the websites. Due to their relationship with a web security company, SiteLock, they don’t seem to have an interested in investigating this type of situation (and neither does SiteLock).

That wasn’t the first time we had run across the possibility of such a situation occurring with EIG, back in July of last year we discussed another instance, but in that case we were not brought in to clean up any websites targeted, so we had a very limited ability to assess what was going on.

We have now run across yet another instance that lines up with the others.

We were contacted about a hacked website after the person handling a replacement of that website was in contact with SiteLock (due to the website being hosted with HostGator) and then they found our blog posts about SiteLock.

What they had been told by SiteLock was the same kind of stuff we hear a lot. That included that they were told that if the website was cleaned up of the “malware”, but not protected by SiteLock going forward, it would just get infected again. Because the website was for a church, the SiteLock representative said they could provide a discounted rate of $400-600 a year (which doesn’t seem to actually be a discounted rate). Instead they hired us to clean it up for a lot less than that.

What we knew before we started working on the cleanup was that the main website in the account was serving up Japanese language spam when crawled by Google and other search engines, which lead to the search results for the website to also show that. That website was running Joomla 1.5, which was EOL’d in September 2012. There was a recently set up WordPress installation, which was being prepared to replace that website, and that website was not serving that spam content to search engines.

What would seem to be the obvious security concern there would be the Joomla installation, since it is using software that hasn’t been supported in 5 and half years. We haven’t seen evidence that Joomla installations of that vintage are currently exploitable in some mass fashion, so that seemed less likely to us. There was also the possibility of an extension installed in the Joomla installation being a security concern since those would be equally out of date.

The code causing the Japanese language spam wasn’t hard to find, it was obfuscated code added to the top of the index.php file in the root directory of the Joomla installation, which is also the root directory of the website. The last modified date for that file was years ago, which probably meant the hacker had changed it to hide that they had modified the file (which is very common).

As we started more thoroughly reviewing the files to look for any other malicious code on the website, the only place we found them was in multiple files that were located in a directory for a plugin, /wp-content/plugins/html404/, in another WordPress installation on the website. That additional WordPress installation hadn’t been mentioned to us.

That plugin contained files from version 2.5.6 of the plugin Akismet as well as files with malicious code in them. Those files were named:

  • 404.php
  • idx.php
  • jembud.php
  • wso25.php
  • xccc.php

That WordPress installation was running WordPress 4.7.9, which is an outdated major version, but should be secure due to WordPress releasing security updates for older major versions. The website was using a customized version of a popular theme and only one other plugin installed, neither of those things look like a likely source of a security issue.

In looking over the WordPress accounts for that website we found that the first account, which normally be the one created when WordPress was installed was named “html404”, which considering it matched the name of plugin’s directory, seemed like it was probably changed by a hacker (likely with the password also being changed).

In the looking at the session_tokens for that user in the wp_usermeta table of the database for that WordPress installation we could see that at nearly the same time that plugin’s files were listed as last being modified on January 25 someone had logged in to that account from an IP address in Indonesia (which isn’t where the website is located).

A non malicious file in the root directory of the website connected with the code added to the index.php file was also listed as last being modified at the same time, so it looks like the breach of the WordPress installation lead to the Joomla website being modified.

Because the web host for the website, HostGator, did not have any log archiving enabled we could only see the HTTP logging from the day we were cleaning up the hack limiting what we could gleam from that. The FTP logging didn’t show any access that shouldn’t have happened.

Looking around for any other mentions of this that might allow us to give the client better information on what could allowed what had occurred to happen, we came across a thread on the website for WordPress with other people that had been impacted. That provided further confirmation of what we had been piecing together, but nothing that shed any light on the cause.

At that point the possibility that this could be another example of whatever security issue might be going on at EIG was at top of mind. Since a hacker with either direct access to the databases on the server or access to files on it, which would give access to the configuration files with database credentials in them need to access the databases, could change a WordPress username/password like this. There was no direct mention of what web hosts the websites mentioned in that thread were using, but one of the participants username pointed to the website impacted and the website was hosted with Bluehost, another EIG brand.

In the previous instances where we found an EIG connection there was a defacement involved that had showed up on the website Zone-H. That allowed us to easily check over numerous websites to see what the host were. That isn’t the case with this hack, but we did check over a number of websites we could find that were involved and what we found was they all were hosted with EIG brands. Here are the IP addresses along with the EIG brands of websites we found reference to being impacted:

While the sample set we have is smaller in the previous instances the chances that all of the website we checked would all happen to be at one hosting company is not what you would expect if the hacking was caused by something unrelated to the web host. At best it looks like we have now run across multiple hackers that look like they are only targeting this one company, but what seems to be a reasonable possibility is that there is a security issue in EIG systems that is allow hackers to exploit them.

Several of those are from the same IP address, which would likely mean they are on the same server.

SiteLock’s Idea of Protection Doesn’t Seem to Involve Real Protection

Considering that EIG brands heavily push people to hire SiteLock to clean up websites, it seem incredibly hard to believe that SiteLock could have missed what we have picked by just dealing with a couple of websites, if they were properly dealing with hacked websites. But from what we know they don’t usually properly clean up hacked websites. Instead of doing proper cleanups they sell people on services that claim to protect websites, as what was attempted to be sold in this instance, that don’t even attempt to do that.

If you are not determining how websites are being hacked, it would be difficult to be able to protect them. If there is an issue with EIG’s system, it would unlikely that such a service could protect against it, so spotting that type of situation would be really important.

SiteLock’s lack of interest in true protection is even worse in the light of the fact that SiteLock has “partnered” with a web host that seems at best uninterested that hackers are specifically targeting their customers or worse, their customers are getting hacked due to a security issue in the web host’s systems. But it gets even worse, when you know that while the relationship between EIG and SiteLock is promoted as partnership, the reality is that the two companies are very closely connected then they let on publicly. The majority owners of SiteLock also are the CEO and board member of EIG, which neither side mentions publicly. So you have the owners of a security company that seems to be uninterested in security of websites it is supposed to be protecting also looking to be leaving websites they host insecure. On top of that both sides would profit from this insecurity as EIG disclosed that they get 55% of revenue for SiteLock services sold through their partnership, so both companies have a financial incentive to not find and fix something like this as long as their customers doesn’t become aware of what is going on and leave in mass. That seems like a good argument for keeping security companies and web hosts at arm’s length (maybe not surprisingly with the other instance of a security company closely tied with a web host the security company doesn’t seem to be interested in security either).

Wordfence Has Missed This As Well

SiteLock isn’t the only security company that seems to not be on the ball here. In the previously mentioned thread on the WordPress website one of the participants mentioned they were going to have the security company Wordfence “perform a comprehensive security review and if necessary, final clean-up” after being impacted by this. In the follow up there is no mention at all of Wordfence having made any attempt to determine how this occurred, just that “I am happy to report that the Wordfence security analyst found no evidence of malware on the website.”. Considering that trying to determine how a website was hacked is one of three basic parts of a cleanup, it seems a bit odd that there wouldn’t be a mention of Wordfence not figuring out the source if Wordfence had done things right and mentioned that they were unable to determine the source of the hack

The follow up response to that was from a Wordfence employee, who instead of being concerned about the source of hack being a mystery, just promotes a post on the Wordfence website that wouldn’t have any impact on resolving the underlying cause of these hacks. So it would seem they are unconcerned about this as well.