Back in August we ran across a Forbes article about what appeared to new element of the web security company SiteLock’s scamming people, their Risk Assessment Score. That is supposed to be a score based on:
a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.
In the case of the writer of the Forbes article, they were told that there website was at “medium risk” despite being a “single-page static website with just a handful of files and no CMS or other editing software”. When they asked how the website could be compromised they didn’t get an answer:
a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.
What also seemed rather odd considering there were supposed to be “over 500 variables” that were used to calculate this, it didn’t include a couple of possible sources of compromise that were possible with that type of website:
The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.
The lack of the latter seems like it might have something to do with the fact that most of SiteLock’s business comes through partnerships with web hosts (many of them run by the majority owners of SiteLock).
A couple of weeks later we were contacted by someone that had gotten told by their web host 123 Reg, which is a GoDaddy brand, that their website “high risk” based on SiteLock assessment. That further pointed to this assessment not being legitimate as this website was very similar to the previously mentioned one. Once again it was a static website, though it did contain multiple pages.
At the end of September we ran across what seemed to be an example of what it might take to get “low risk”, which was having a website that didn’t exist. In that instance the score came from something we had not heard of before, the SiteLock Platform Digest.
We have recently been contacted by more people that have been getting this and it looks like so much of what SiteLock does, scammy.
This is sent out as an email with the subject, “SiteLock Weekly Risk Score and Website Scanning Results”.
As example of what this involves here is one recent one that one of the people that contacted us received:
Not only were they told that they were at “high risk”, but they also were told that they had 37 issues found. To find out what these supposed issues were they would have to sign up for a $150/year “premium scan” service, which was promoted as also including a firewall service (one that SiteLock lies about who actually is behind). Making a claim that the website is at risk and then not providing the details doesn’t exactly make this or SiteLock seem like they are legitimate.
For someone else that contacted us, they were given some information on what was supposed to be the cause of their website being at “high risk”, but it was clearly wrong. They were told the issue was that their WordPress installation and plugins were out of date. The problem with that was that SiteLock was claiming they were using WordPress 4.7.2, which would be out of date, when they were running WordPress 4.8.2, which isn’t out of date. When they brought that up with SiteLock representative they were told that this most recent data they had. Considering this is supposed to be done weekly that seems odd considering that usually minor WordPress updates happen automatically and WordPress 4.7.3 was released in March, so that would seem likely to be a rather old result (if it was even a result for this website). Curiously with another website where they have a SiteLock service the score “is always good”.
What we also found interesting was what is written on the page that those emails link to find out more information on these emails.
One of things that we noticed on that page is that there scores don’t consider that a website could be less likely to be compromised than the average website:
Low Risk Score — Your website is as likely or 1x more likely, to be compromised than the average website based on complexity, composition and popularity.
That doesn’t make sense as for there to be an average when it comes to likelihood of compromise, it would follow that there would be some that were less likely as well as those that were more likely.
The other scores also don’t make sense as the “medium risk” is supposed to involve websites that are “6x more likely to be compromised” and the “high risk” is supposed to involve “12x more likely to be compromised”. How is possible that all websites would be 1x, 6x, or 12x more as likely to be comprised than the average website. Surely there would be ones that would fall between and below those if this was legitimate, which it doesn’t seem to be.
Another element that seems off in this whole thing is that these scores are supposed to involve “over 500 variables”, but based on the following question and answer state it also doesn’t consider security solutions being used:
Q: How can my website be High Risk if I’m using SiteLock?
A: This is because your risk score and security solutions are independent of one another. Typically, the more complex and feature-rich a website is, the higher the risk score will be. Knowing your risk score can help you take the appropriate proactive measure to securing your site.
You really have to wonder what variables, if any, are actually supposed to be used to come up with the score.
Ignoring the SiteLock Platform Digest
The best advice we can give in general is to ignore the results of this report since everything we have seen so far makes it seem the intent of it is to scare you in to purchasing SiteLock security services and not to provide you any useful information.
When it comes to SiteLock services that are supposed to protect your website we have yet to see them provide any evidence, much less any based from independent testing, that they actually are effective (that is equally true for other providers). So buying services based of this report of that score is unlikely to provide you much, if any, protection. You are much better off making sure you are doing the basics that will actually help to protect your website.
It also important to note that even SiteLock isn’t claiming that the score or their count of issues is actually an indication that the website has been hacked, as some people that have contacted us have believed.