SiteLock Admits To the Meaningless of Website Attacks Stat, While Still Promoting It

Recently we have put forward the idea that a way to better understand the poor state of the security industry is to think of it as the “insecurity industry”, as much of the industry is not interested in actually securing websites, but instead on selling people on the idea that they should be buying expensive security services without an expectation that they will actually provide effective protection. One company that really exemplifies that is SiteLock. Just a couple of weeks ago we discussed how they promote their service in way that indicates that it doesn’t actual protect websites, as they portray that instead of keeping websites from being hacked they provide incomparable security by being better able to deal with the after effects of leaving websites vulnerable to being hacked (though they didn’t provide any evidence they are even good at what they claim to be able to do).

One of things we mentioned previously as part of what defines the “insecurity industry” is selling people on the idea that websites are under constant attack. That is something that SiteLock frequently brings up. For example, in a press release from March 12 they claimed:

The average website is attacked 59 times per day, which is up a staggering 168 percent from the previous year.

If you think about for a second though, that doesn’t sound like a meaningful statistic since the average website isn’t being hacked 59 times a day or even once a day.

A couple weeks after that press release, SiteLock had a bit of a problem as their latest claimed stats indicated that attacks were down:

Websites experienced 44 attacks per day on average in Q4 2017, a 25 percent decrease from the previous quarter.

Part of the way they tried to downplay that was to extrapolate out that number over a year (despite knowing that the number is variable):

Despite this decrease, a single website can still experience 16,000 attacks in one year alone.

As far as we are aware the average website isn’t being hacked once a year even, so once again the stat is rather meaningless.

Next up they downplayed it by saying the number of attacks isn’t actually meaningful:

“A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite,” says Neill Feather, president of SiteLock. “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.”

So if attacks are up you should be concerned, if attacks are down you should be even more concerned, it is almost like the number of attacks isn’t meaningful at all.

That claim sticks out considering that they are still make a big deal of the number of attacks. They even created a graphic in that very post highlighting the number of attacks:

What would be a relevant stat would be how many successful attacks there are. The quote from the President of SiteLock indicates they would know that, “our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks”. We doubt they actually do, but assuming they did, telling people the truth, which is that the successful attacks are very uncommon, would get in the way of scaring people. So how uncommon? From everything we have seen we are talking about an incredible small fraction of one percent of attacks that are successful.

Another part of the about the quote from the President of the company that sticks out to us is “businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur”. This gets to the idea of the “insecurity industry” because the expectation that even though you have the “right technology” (that is paying SiteLock or somebody else for a protection service) you should be assuming you are going to get hacked anyway. The reality though is that if you do the basics of security you can prevent most hacks (even ones that advanced security products fail to protect against). In some cases though doing the basics won’t protect websites from hacks in part due to things that SiteLock and other security companies are doing that they shouldn’t and thing they are not doing, but should be doing (like failing to determine how websites they are cleaning up have been hacked).

Part of the next paragraph after his quote is in line with selling insecurity as security:

Additionally, a website scanner can find malware on your site, helping to mitigate threats in real time.

If you are finding malware on a website you are past the threat stage and have already been exploited. Unless a malware scanner is running constantly, it is likely wouldn’t help in realtime and we haven’t seen any evidence that any malware scanner is all that effective at detecting malware (SiteLock has promoted theirs with bogus independent testing). Selling people that detecting malware on a website isn’t an indication that a security product failed, but it is working, is exactly is exactly what the “insecurity industry” is.

Beyond scaring people, another reason why a company would put out stats like this is to get press coverage, since journalists will run with this type of thing even if the data is of questionable value (we have seen plenty of instances where security journalist have run with wholly false claims, including from SiteLock). You might think that a journalist might notice that SiteLock is even saying the stat isn’t meaningful here and not run with it in this instance, but that didn’t happen. Among them, the Washington Post ran with it with the headline “A typical small business website is attacked 44 times a day” and Tech Republic “The average SMB website is attacked 44 times per day”.

This Looks Like It Might Be Another Instance of SiteLock Partnered EIG’s Apparent Security Issue

A week and half ago we discussed a situation where there looked to be at least a hacker specifically targeting websites hosted with web hosting company EIG, which does business under the brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The more concerning possibility is that the hacker wasn’t just targeting websites hosted with EIG but taking advantage of some security issue within their systems to breach the websites. Due to their relationship with a web security company, SiteLock, they don’t seem to have an interested in investigating this type of situation (and neither does SiteLock).

That wasn’t the first time we had run across the possibility of such a situation occurring with EIG, back in July of last year we discussed another instance, but in that case we were not brought in to clean up any websites targeted, so we had a very limited ability to assess what was going on.

We have now run across yet another instance that lines up with the others.

We were contacted about a hacked website after the person handling a replacement of that website was in contact with SiteLock (due to the website being hosted with HostGator) and then they found our blog posts about SiteLock.

What they had been told by SiteLock was the same kind of stuff we hear a lot. That included that they were told that if the website was cleaned up of the “malware”, but not protected by SiteLock going forward, it would just get infected again. Because the website was for a church, the SiteLock representative said they could provide a discounted rate of $400-600 a year (which doesn’t seem to actually be a discounted rate). Instead they hired us to clean it up for a lot less than that.

What we knew before we started working on the cleanup was that the main website in the account was serving up Japanese language spam when crawled by Google and other search engines, which lead to the search results for the website to also show that. That website was running Joomla 1.5, which was EOL’d in September 2012. There was a recently set up WordPress installation, which was being prepared to replace that website, and that website was not serving that spam content to search engines.

What would seem to be the obvious security concern there would be the Joomla installation, since it is using software that hasn’t been supported in 5 and half years. We haven’t seen evidence that Joomla installations of that vintage are currently exploitable in some mass fashion, so that seemed less likely to us. There was also the possibility of an extension installed in the Joomla installation being a security concern since those would be equally out of date.

The code causing the Japanese language spam wasn’t hard to find, it was obfuscated code added to the top of the index.php file in the root directory of the Joomla installation, which is also the root directory of the website. The last modified date for that file was years ago, which probably meant the hacker had changed it to hide that they had modified the file (which is very common).

As we started more thoroughly reviewing the files to look for any other malicious code on the website, the only place we found them was in multiple files that were located in a directory for a plugin, /wp-content/plugins/html404/, in another WordPress installation on the website. That additional WordPress installation hadn’t been mentioned to us.

That plugin contained files from version 2.5.6 of the plugin Akismet as well as files with malicious code in them. Those files were named:

  • 404.php
  • idx.php
  • jembud.php
  • wso25.php
  • xccc.php

That WordPress installation was running WordPress 4.7.9, which is an outdated major version, but should be secure due to WordPress releasing security updates for older major versions. The website was using a customized version of a popular theme and only one other plugin installed, neither of those things look like a likely source of a security issue.

In looking over the WordPress accounts for that website we found that the first account, which normally be the one created when WordPress was installed was named “html404”, which considering it matched the name of plugin’s directory, seemed like it was probably changed by a hacker (likely with the password also being changed).

In the looking at the session_tokens for that user in the wp_usermeta table of the database for that WordPress installation we could see that at nearly the same time that plugin’s files were listed as last being modified on January 25 someone had logged in to that account from an IP address in Indonesia (which isn’t where the website is located).

A non malicious file in the root directory of the website connected with the code added to the index.php file was also listed as last being modified at the same time, so it looks like the breach of the WordPress installation lead to the Joomla website being modified.

Because the web host for the website, HostGator, did not have any log archiving enabled we could only see the HTTP logging from the day we were cleaning up the hack limiting what we could gleam from that. The FTP logging didn’t show any access that shouldn’t have happened.

Looking around for any other mentions of this that might allow us to give the client better information on what could allowed what had occurred to happen, we came across a thread on the website for WordPress with other people that had been impacted. That provided further confirmation of what we had been piecing together, but nothing that shed any light on the cause.

At that point the possibility that this could be another example of whatever security issue might be going on at EIG was at top of mind. Since a hacker with either direct access to the databases on the server or access to files on it, which would give access to the configuration files with database credentials in them need to access the databases, could change a WordPress username/password like this. There was no direct mention of what web hosts the websites mentioned in that thread were using, but one of the participants username pointed to the website impacted and the website was hosted with Bluehost, another EIG brand.

In the previous instances where we found an EIG connection there was a defacement involved that had showed up on the website Zone-H. That allowed us to easily check over numerous websites to see what the host were. That isn’t the case with this hack, but we did check over a number of websites we could find that were involved and what we found was they all were hosted with EIG brands. Here are the IP addresses along with the EIG brands of websites we found reference to being impacted:

While the sample set we have is smaller in the previous instances the chances that all of the website we checked would all happen to be at one hosting company is not what you would expect if the hacking was caused by something unrelated to the web host. At best it looks like we have now run across multiple hackers that look like they are only targeting this one company, but what seems to be a reasonable possibility is that there is a security issue in EIG systems that is allow hackers to exploit them.

Several of those are from the same IP address, which would likely mean they are on the same server.

SiteLock’s Idea of Protection Doesn’t Seem to Involve Real Protection

Considering that EIG brands heavily push people to hire SiteLock to clean up websites, it seem incredibly hard to believe that SiteLock could have missed what we have picked by just dealing with a couple of websites, if they were properly dealing with hacked websites. But from what we know they don’t usually properly clean up hacked websites. Instead of doing proper cleanups they sell people on services that claim to protect websites, as what was attempted to be sold in this instance, that don’t even attempt to do that.

If you are not determining how websites are being hacked, it would be difficult to be able to protect them. If there is an issue with EIG’s system, it would unlikely that such a service could protect against it, so spotting that type of situation would be really important.

SiteLock’s lack of interest in true protection is even worse in the light of the fact that SiteLock has “partnered” with a web host that seems at best uninterested that hackers are specifically targeting their customers or worse, their customers are getting hacked due to a security issue in the web host’s systems. But it gets even worse, when you know that while the relationship between EIG and SiteLock is promoted as partnership, the reality is that the two companies are very closely connected then they let on publicly. The majority owners of SiteLock also are the CEO and board member of EIG, which neither side mentions publicly. So you have the owners of a security company that seems to be uninterested in security of websites it is supposed to be protecting also looking to be leaving websites they host insecure. On top of that both sides would profit from this insecurity as EIG disclosed that they get 55% of revenue for SiteLock services sold through their partnership, so both companies have a financial incentive to not find and fix something like this as long as their customers doesn’t become aware of what is going on and leave in mass. That seems like a good argument for keeping security companies and web hosts at arm’s length (maybe not surprisingly with the other instance of a security company closely tied with a web host the security company doesn’t seem to be interested in security either).

Wordfence Has Missed This As Well

SiteLock isn’t the only security company that seems to not be on the ball here. In the previously mentioned thread on the WordPress website one of the participants mentioned they were going to have the security company Wordfence “perform a comprehensive security review and if necessary, final clean-up” after being impacted by this. In the follow up there is no mention at all of Wordfence having made any attempt to determine how this occurred, just that “I am happy to report that the Wordfence security analyst found no evidence of malware on the website.”. Considering that trying to determine how a website was hacked is one of three basic parts of a cleanup, it seems a bit odd that there wouldn’t be a mention of Wordfence not figuring out the source if Wordfence had done things right and mentioned that they were unable to determine the source of the hack

The follow up response to that was from a Wordfence employee, who instead of being concerned about the source of hack being a mystery, just promotes a post on the Wordfence website that wouldn’t have any impact on resolving the underlying cause of these hacks. So it would seem they are unconcerned about this as well.

SiteLock Makes Up List of Hackable Websites While Ignoring Real Issue They Don’t Deal With

We frequently have people contacting us looking for advice after they have been in contact with the web security company SiteLock. A lot of the claims made by SiteLock that are relayed to us are untrue, which isn’t surprising considering everything we have seen and heard about that company. One of these claims that was passed along to us recently seems like something worth making a note of because it deals with how SiteLock sells people on the need for their protection services, while actually leaving websites vulnerable.

The owner of a website was told that while the hack of their website didn’t have much impact, the website would now be on a list of hackable websites and the original hackers or “worse” would return to more damage than the simple defacement that was done. The SiteLock representative was suggesting purchasing a $50 a month protection plan to protect against those future hackers.

We have never heard of a list of hackable websites and it doesn’t really make sense that a hacker would do a visible hack, which is what a defacement hack involves, and then come back and do something worse in the future. This would be like a bank robber breaking in to a bank vault and spray painting that they broke in, but not taking any money, but planning to come back and do that at a later date. That analogy sounds more like something a villain in a comic, movie, or TV show might do.

The reality though is that for a website to be hacked something has to have gone wrong. If you don’t fix that vulnerability then the hacker or another hacker could exploit the vulnerability again in the future. The solution to that is to figure out what that was and fix it as part of a proper hack cleanup. As we were just mentioning the other day though, SiteLock touts that they don’t do that, instead simply using automated tools to try to remove malicious code on the website, leaving the website vulnerable to being hacked again and again.

It also follows that SiteLock protection service wouldn’t provide good protection since they don’t know how websites are being hacked. Not surprisingly SiteLock doesn’t present evidence, much less evidence from independent testing, that their services are actually effective at protecting websites.

What seems to be the explanation for this is that SiteLock’s business model is built around getting reoccurring fees from people without having to do much for it. Properly cleaning up hacked websites would require having skilled people, which would cost serious money, and would only bring in money once. While selling people security services that are not expected to work that well, since there isn’t an expectation that websites can actually be secure, doesn’t require competent people. If you can get people to believe that websites just get hacked, as opposed to something going wrong that can be prevented, then it makes it easier to sell them a nebulous protection service.

If your website has been hacked you want to make sure to get it properly cleaned up, which involves removing anything the hacker added to the website, securing the website (which usually involves upgrading the software on it), and trying to determine how the website was hacked and fixing that. Many companies, including SiteLock, cut corners. So simply going with a well known company doesn’t mean that you are going to get a good result, in fact what we have seen is that the biggest names are usually very bad at security (lying about things has been effective method to make security companies popular, but it doesn’t help to make them good at security).

SiteLock’s Idea of Website Security Doesn’t Seem Too Focused on Actually Securing Websites

Recently, while searching for some information about another security company an ad for SiteLock also showed up in the search results:

The page linked to in the ad seems worth discussing as to what it says about the SiteLock’s view of website security (which is line with plenty of other companies as well), but the ad itself had a number of claims that stood out to us as well.

For example, based on everything we have seen SiteLock charges incredibly high prices (and not all in line with level of service you are getting), so the idea you are getting the “lowest price” seems laughable.

It also claims that you can “Switch to SiteLock for Free.”, which seems meaningless, as unless some other service charges you an extra fee if you previously used another service, there wouldn’t be a fee for switching. If you click the ad the only thing listed as being free is getting a quote (would someone else charge for a quote?).

The claims about “Ditch the Weak Security” and “the only fully automated website security” touch on what is seen on the page you are taken to when clicking the ad:

In that SiteLock claims there is no comparison between them and others when it comes to website security:

When it comes to comprehensive, automated website security, there is no comparison.

But in looking at the things they are comparing it shows they are not really all that focused on actually securing websites:

  • COMPLETE WEBSITE MALWARE DETECTION
  • AUTOMATED MALWARE REMOVAL
  • DOESN’T SLOW WEBSITE PERFORMANCE

If a website is secured there wouldn’t be any malware to be detected or removed in the first place. As we were just discussing yesterday with a real world example involving another well known security company, automated attempts to do both of those things don’t look to work very well either.

The details of those things being compared are either missing any evidence for claims as to SiteLock’s superiority (which seems like a basic and important part of a comparison) or don’t make sense.

For the first item they claim to “find more vulnerabilities, malware infections and other security issues” than anyone else:

SiteLock checks websites from the inside out and the outside in to find more vulnerabilities, malware infections and other security issues.

But no evidence is provided to back that up.

When it comes to vulnerabilities, in the past we have written about how we couldn’t find evidence that they vulnerability scanner was actually detecting vulnerabilities, much less more of them than anyone else. We later found that their vulnerability scanning looks to be at least, maybe only, running a tool called Nessus over websites, which causes some serious problems.

Next up is the claim about their malware removals:

SiteLock offers the only website security solution that automatically removes most malware. In instances when our software can’t eliminate an infection, our security team is automatically alerted to manually remove the malware.

There are a couple of obvious issues with that. First, they are not the only ones with automated malware removal. Second, when cleaning up a hack you don’t want to just remove it, as that alone does nothing to fix the vulnerability that allowed it to happen in the first place. So they are promoting that they improperly clean up websites, while making it sound like a good thing.

The final one doesn’t really make sense. They claim this about their service:

SiteLock scans are cloud-based, which means we do not slow down the customer’s website when we check for malware, vulnerabilities and other website security issues.

They claim this about their competitors:

The competition’s scans run on their customer’s website servers, consuming valuable resources that slow website performance.

But prior to that they claimed this about their competitors:

The competition typically only checks websites from the outside in, thus missing many potential security issues.

It doesn’t make sense that the competitors are checking “websites from the outside in”, but that their “scans run on their customer’s website servers”. In any case SiteLock is clearly going to use some resources to scan the websites, since they have to access them somehow to do that checking.

12M+ Customers

The claim on the page that “12M+ customers trust SiteLock to protect their website” is something we should take up more in detail sometime, as it is great example of SiteLock’s ridiculous claims. But a quick example of why that is ridiculous is that 6 million of that customer count come from their purchase of a company named Patchman. That company provides a service for web hosts that would patch some security vulnerabilities in some software used on their customers websites. That company doesn’t have 6 million customers, instead that is a claimed count all of the customers of the web host they do business with had. So half of SiteLock’s customers count are not necessarily even aware of the service being provided, much less to trust it to protect them. It also would provide limited protection since it only deals with some security issues and in the case of WordPress, the developers of WordPress already release security updates for older versions, so the service duplicates protection already provided.

Securing Your Website

If your website hasn’t been hacked what you should focus on is making sure you are doing the basics of security since those will actually help protect your website. If you are looking for a security service in addition to that, we would recommend you only use one that provides evidence from independent testing that they are effective at doing that. We should note that we have yet to see a company that provides that (or even presents evidence from non-independent testing to that effect).

If your website has been hacked you want to make sure to get it properly cleaned up, which involves removing anything the hacker added to the website, securing the website (which usually involves upgrading the software on it), and trying to determine how the website was hacked and fixing that. Many companies, including SiteLock, cut corners, as can be seen SiteLock by touting that they don’t do things properly. So simply going with a well known company doesn’t mean that you are going to get a good result, in fact what we have seen is that the biggest names are usually very bad at security (lying about things has been effective method to make security companies popular, but it doesn’t help to make them good at security).

Is SiteLock Making Websites Less Secure?

Recently we have run across evidence that SiteLock and their owners might actually be making websites less secure. While cleaning up a hacked website last week we noticed that at of one of SiteLock’s hosting partners, the Endurance International Group (which does business through brands A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others), a hacker has at least been targeting websites hosted by them or more concerning, the hacker isn’t so much as targeting websites hosted by them, but taking advantage of security issue with Endurance to gain access to their customer’s websites. You would think a web host would be interested in looking into something like that, but instead when contacted about hacked websites they just push people to hire SiteLock to clean up the websites, which does nothing to deal with the source of the hackings. Part of the reason for them doing that is that the Endurance gets the majority of the revenue for SiteLock services sold through their partnership, so they have a financial interest not to make their hosting as secure as possible. Another reason for pushing SiteLock is that the majority owners of SiteLock also run Endurance.

The very real possibility that the owners of a security company are also run a web hosts that is the cause of their customers being hacked is on the one hand kind of stunning, on the other hand it is in line with what we have come to expect when it comes to the handling of the security of websites.

Hacker Behind Recent Hack of Numerous EIG Hosted Websites Claimed They Had Full Access to One of EIG’s Servers Last Year

Last Thursday we mentioned how we had come across a hacker that had recently hacked numerous websites hosted with various Endurance International Group (EIG) brands. EIG does business through brands A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. That the hacker was only hitting websites hosted with those brands stood out, since, if say, a hacker was exploiting a vulnerability in a WordPress plugin to gain access to them you would expect to see numerous different web hosts being represented.

At the least, that seems to indicate that the hacker is targeting website hosted with EIG brands, which is possible explanation of that situation. What would seem more likely though is that the hacker is gaining access to some part of EIG’s systems allowing them access to all of the websites on a server. Considering the hacker was hitting numerous website sharing the same IP address, which would likely indicate they are on the same server, that seemed like a reasonable possibility.

Proving that EIG systems are being exploited would be difficult without information they only have access to. Our past experience is that web hosts are rarely even willing to consider that they have been breached, much less admit that it has happened. As we mentioned in the previous post, things are worse with EIG, since they are run by the majority owners of a security company SiteLock and EIG gets a cut of security services sold by SiteLock to their customers. That creates an incentive not to provide their customers the best possible security and what we have heard is when contacted about a hacked websites that they just try to push their customers to SiteLock instead of doing any checking into the situation (that includes someone that contacted us last week that has the been hit as part of this hack).

While doing some more searching around on the message left in one of the files we found on a website hit by the hacker (that is also on the other websites being hit), “Hacked By Isal Dot ID”, we found that a year ago the hacker was claiming to have full access to a server that a website had hacked was on.

At the time of the hack that website was hosted on the IP address 192.185.142.185. The listed ISP of that IP address is Websitewelcome.com, which is HostGator.

(The website is now hosted on the IP address 74.220.219.116. The listed ISP of that IP address is Unified Layer, which is Bluehost.)

While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end. This seems like something they should be addressing. If you have been hit by this hacker and have gotten a response related to that instead of just being pushed to hire SiteLock please get in touch with us or leave a comment on this post.

SiteLock’s Vague Emails About Vulnerabilities Being Detected Don’t Indicate That Websites Have Been Hacked

We are always happy to provide a free second opinion if the web security company SiteLock or their web host partners are claiming that a website contains malware or is otherwise hacked, as we don’t want people pushed in to purchasing unneeded security services on the basis of their all to frequent false claims. In addition to people contacting us in that situation, we have a lot of people contacting us looking for that second opinion on whether their website is hacked in situations where there hasn’t actually been a claim that the website has been hacked. One situation we have seen that has come up fairly regularly is with vague claims that websites contain a vulnerability. A recent example of a form email they are sending out for that is the following:

Because website security is important, your hosting provider has provided you with a complimentary scanner from SiteLock that proactively checks for malicious threats and vulnerabilities. This scan regularly reviews your website plugins, themes and content management system (CMS) for potential vulnerabilities.

During a recent scan, a vulnerability was detected on your website.

For details on the findings, including the location of the vulnerability and remediation options, please contact SiteLock today. We would be happy to walk you through your dashboard and talk to you about next steps. Our security consultants are available 24/7 to answer your questions.

Call 844-303-1509 or email support@sitelock.com

There is good reason to believe that has no basis, considering the lack of any details, as well as things like us last August running across someone that had received a similar email for a hosting account that hadn’t existed for months and in June of last year running across SiteLock continuing to falsely claim that websites using WordPress contained vulnerabilities that had been fixed in earlier versions of WordPress than were in use on the websites, despite SiteLock being aware they were spreading false information.

You could probably safely ignore these messages, but if you want extra assurance you could contact SiteLock and ask for evidence of their claim (though we have heard in the past that they wouldn’t provide that) or check to make sure you are doing the important things to keep your website secure, like keeping your software up to date. While we don’t recommend it, we also offer a security review to check over things like if software you are using is known to be insecure.

Hacker Targeting Websites Hosted With SiteLock Partnered HostGator and Other Endurance International Group (EIG) Brands

Recently we have been thinking that a way to help people to better understand why security is in such bad shape despite the amount of money spent on it, is to say to think of the security industry not as that, but as the “insecurity industry”. As security companies are not focused on improving security, but instead of making people believe that insecurity is inevitable and that they can provide protection, but not to the extent that people actually expect those companies to keep them things secure. A prime example of a company that would fit that description is SiteLock, which is a company that comes up often on our blog when it comes to bad practices of the security industry. The other day we had someone forward several messages they had received recently from them and part of one of those stood out:

Malware is a real problem that affects a lot of websites. It’s as prevalent as the common cold and can do some real damage if you don’t catch and treat it early.

So how will you know if your website gets infected with malware?

To help protect your website, your hosting provider has partnered with SiteLock to provide your website with a complimentary malware scanner. Every day this nifty little tool checks the first five pages of your website for malware, and sends you an alert if any is found.

Their idea of protecting websites isn’t making sure that websites are actually secure, which would prevent them from being infected with malware or otherwise hacked, but instead trying to detect the website is infected after being hacked and then offering services that still don’t secure the website. That is great way for them to make money, but it isn’t great for everyone else since websites can continually be hacked.

As that email indicates they are not alone in that, web hosts have partnered with them. Why would a web host partner with a company that isn’t focused on making sure their customers’ websites are secure? Well when it comes to what seems to be SiteLock’s biggest hosting partner, the Endurance International Group (EIG), a partial explanation is that the majority owners of SiteLock also run EIG. EIG also disclosed to investors at one time that they receive 55% of the revenue of services sold through their partnership. That creates a strong incentive for EIG to not provide the best security possible as that would mean less money for them and less money being made by another company owned by the people running EIG. It might explain, for example, why in the past we found that EIG was distributing known insecure versions of web software to their customers through one of the companies they own, MOJO Marketplace.

Over the years EIG has brought together numerous web hosting brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The situation with a website hosted with HostGator that we cleaned up a hack on yesterday seems to be an example of where those incentives might have created a situation that doesn’t serve their customers well.

The website was hacked in way that it would serve spam pages with Japanese text to Google’s search crawler.

While you wouldn’t know it from many companies that cut corners when doing hack cleanups, one of the three basic steps in properly cleaning up a hacked website is to try to determine how it was hacked. With this website the files involved in the hack didn’t really seem to shed any light on that. The main piece of this hack involved code added to the index.php file of a WordPress installation that caused the code in a file at wp-confing.php to run, which would cause that code to run whenever the frontend of the website is accessed. That filename is similar to a legitimate WordPress file in the same directory, wp-config.php, which could indicate that the hacker has some knowledge of WordPress, but considering how popular it is, it doesn’t seem to be a good indication that the hack was anything WordPress related (we also didn’t find anything that was known to be insecure in the WordPress installation).

The hacker had also added the website to a Google Search Console account with the email address “xueqilve@gmail.com” and submitted a sitemap to get the spam pages added to Google’s index.

It looked like the malicious code causing the issue had been added a few days ago (though another file might have been there since November), so there still should have been logging available from when that occurred that would shed more light on the source of that. Unfortunately HostGator hadn’t had log archiving enabled by default in the website’s cPanel control panel, so we only had access to logging for the current day. That fact alone probably should tell you that the company doesn’t have much concern about security and it would be strange to not have that on if they had a legitimate partnership with a security company since that would be an obvious thing to do because of its importance for dealing with hacked websites.

As we have found though, SiteLock usually doesn’t attempt to determine how a website was hacked, so they wouldn’t have a need for that logging. Considering that they don’t usually do that, it makes it not all that surprising that services they offer to protect website don’t work well, since they don’t know how websites are actually being hacked.

We did have one last lead to follow in trying to get some idea of how the website was hacked. In the root directory of the website there was a file named bray.php that contained the following message:

Hacked By Isal Dot ID

Through the website Zone-H, which catalogs defaced websites, we could see that same file had been placed on numerous websites recently. In looking over a number of those websites what stood out was that they all were hosted with HostGator or other EIG brands. Here are examples of websites hit at several nearly sequential IP address registered to HostGator:

If a hacker was hacking websites through a vulnerability in a WordPress plugin for example, that isn’t what you would expect to see, instead you should see websites hosted with numerous different web hosts.

At best you have a situation where a hacker looks to be specifically targeting numerous websites at EIG brands. There is also the possibility they are taking advantage of some security issue on EIG’s end to hack the websites.

Even if they are just targeting website hosted with EIG brands that seems like something that the hosting company would want to investigate and try to prevent as much as possible. That doesn’t seem to be the case here because later yesterday we were contacted by someone else with the exact same hack. They said HostGator has only been interested in pushing SiteLock. When you understand the incentives involved, it really isn’t surprising that is happening.

Update March 19, 2018: We have now come across a article from year ago in which the hacker behind this, claimed to have had full access to a server that contained another website they had hacked. That website was hosted with HostGator at the time (and Bluehost now). While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end

Bluehost Still Trying To Sell Unneeded SiteLock Security Services Based on Phishing Emails

Back in August we discussed a situation where the web host Bluehost had tried to sell one of their customers a $1,200 a year SiteLock security service based on the customer having received a phishing email that was supposed to have come from Bluehost. It obviously didn’t paint too good a picture of Bluehost, as despite it seeming that these phishing emails were rather common, they didn’t even do any basic checking on the claimed situation in the phishing email before trying to sell someone on an expensive security service that didn’t even have seem to have a connection to the issue mentioned in the email.

Fast forward to this month and it is still happening. We recently had someone contact us a looking for advice after having gotten an email they thought was from Bluehost about malware on their website and then when they contacted the real Bluehost, it was recommended that they spend $49 a month on a SiteLock service that was supposed to fix that. Before we even looked at the email that was supposed to have come from Bluehost, things seemed off since the person that contacted us said that the whole account had been disabled, but in our experience Bluehost only shuts off access to the websites, not other forms of access to the account. That seems like something a Bluehost employee should have also been aware of.

Looking at the email (shown below) we could see it was a phishing email as one of the links in it was to the website my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru instead of my.bluehost.com.

Your account has been temporarily deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples:

/domain/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru/server/1012/reactivation.html

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Remove all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you are already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

That all seems like a good reason to not use Bluehost. As for SiteLock it isn’t like they are an innocent victim in this, as the majority owners of SiteLock also run the Endurance International Group (EIG), which is the parent company of Bluehost and numerous other web hosts. SiteLock also pays a majority of the their inflated prices to web hosts, which certainly could create an incentive to sell unneeded services.

This is also a good example of why anyone contacted by SiteLock or one of their web hosting partners about supposed malware issue or other type of hack of their website should get a second opinion from another security company (something we provide for free and we hope that other companies would as well), since we were able to quickly identify what was going on and let this person know as well and saved them a lot money.

SiteLock’s SMART Scan Failed To Deal with Issue Causing Cross-Site Browser Warning

One of the problems we have seen with the web security company SiteLock is that they label all sorts of things as being malware, making it hard for anyone else to determine what they might be referring to and therefore if the claim is valid. Sometimes their claims seem absurd, like the time they claimed a link to a non-existent domain name in a comment on a blog post was “critical” severity malware.

That type of issue could be an indication that their tools are overly sensitive or that they produce poor results. Something we just helped someone deal with reiterates what we have seen in the past,which is that it looks like the issue is the later.

We were contacted by someone for whom their website was being reported by the Chrome web browser as being dangerous and SiteLock’s  SMART (Secure Malware Automatic Removal Tool) Scan had been unable to fix the issue for them. They were looking for  quote from us to clean up the website.

When visiting the website in the Chrome web browser the following warning was being shown:

 

We have blacked out the domain listed, but the domain was the most important thing in the message because it wasn’t the domain of the website we were contacted about. Instead Google was warning about content from another website that was being served on this website, which is referred to as a cross-site warning.

In looking at the homepage’s content we found that the only content being loaded from that domain name was an image. When that image was removed the warning also went away.

That was easy for us to spot, but it was something that SiteLock’s tool wasn’t able to detect, while at the same time the tool flagged other things it seems like it shouldn’t.

This situation also shows why it is a good idea to come to us if you think you have a hacked website, because the first thing we do is to make sure the website is actually hacked and then we provide a free consultation on how best to deal with the issue. In this case that meant it didn’t cost this person anything more than whatever they had already paid SiteLock, to get this resolved. As once we saw what the issue was, we could tell them they simply needed to remove the image being loaded from that other website to resolve this.

SiteLock Using Trustpilot to Try to Deceive Public as to How SiteLock’s Customers Really Feel About Them

We frequently deal with people that come to us looking for help after having an interaction with the web security company SiteLock or their web hosting partners. To be able to better understand what is going on with their sitaution, we occasionally check up on various websites where people leave reviews of SiteLock as that helps us to keep up with the various shady stuff that SiteLock is up to.

Earlier this year we noticed that there started to be a massive influx of positive of reviews for SiteLock on one of those website, Trustpilot. That seemed unnatural as we continued to hear from people that were describing situations that have lead to scams to be a commonly associated word with SiteLock at the same rate:

It also was out of line with the amount of and view being expressed in reviews we saw being left at other websites.

The other thing that stood out was that most of the reviews seemed to be people who were describing just interacting with SiteLock, which could have explained some of why they had positive comments about them as many of the problems are only realized later.

One of the recent reviews seems to explain at least some that, as the review starts:

I prefer to leave a review when I am ready but SiteLock insisted so here is my experience thus far.

The rest of the review is rather detailed, so that claim seems unlikely to be made up:

I became a customer after being hit by defacement hackers. They were able to get my site back up after a few hours. Their customer service is good in the sense that they walked me through their portal and call me to provide updates.

At present I feel like they are trying to get more money out of me after I have already paid quite a bit. They want me to pay an additional monthly fee per site to upgrade my firewall once I get a new SSL certificate due to Google’s new requirements.

As having compatible firewalls with Google’s SSL certificate is a requirement now, I feel it should be part of the basic package and I should NOT have to pay more to get a firewall that is compatible. If a firewall isn’t compatible and will shut my site down, what am I paying for? Why even bother selling something that doesn’t work? The basics should be enough to keep my site functional! I shouldn’t have to pay additional just to get a firewall that will keep my site functional.

The claim of insisting that people leave a review is out of line with what Trustpilot believes about SiteLock’s involvement with that website:

What we also recently noticed is that SiteLock is trying to get some of the negative reviews removed. For example, as of few days ago one of the reviews was hidden with a message that SiteLock had reported the review for “for breach of Trustpilot guidelines”:

That review is now visible with an indication that review relates to a verified order (it is the only review on the first page of results that has that designation), which according to Trustpilot indicates that the reviewer “has sent documentation to Trustpilot showing an experience with SiteLock”:

So what did SiteLock not want people to see? Well this:

This service is totally a waste of time …

This service is totally a waste of time and money. Once they have you locked in to their contact that’s the last you will ever hear from them. Do yourself a favor and hang up when they call. Not much more than a scam business in my opinion!

Some of the other recent reviews that SiteLock doesn’t appeared to have tried to take down seem equally bad to us, but maybe the accurate reference to them scamming people is what made the difference here.

SiteLock Claims Are Not Always False

While SiteLock has well earned poor reputation that doesn’t mean that if they or one their partnered web host with a claim that your website is infected with malware or is otherwise hacked that isn’t true, as we have seen many people incorrectly assume. What we would recommend you do in that situation is to get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.