SiteLock and Sucuri Inaccurately Portray Hidden Spammy Content on Website as Malware

We frequently have people contacting us for a second opinion on claims from the security company SiteLock that their websites have been hacked. To be able to provide that we ask for the evidence being presented by SiteLock to back that claim up. An important reason for doing that is that SiteLock appears to refer to anything they detect as possibly being an indication of a hack as malware, even if it isn’t malware.

Malware is short for malicious software and can accurately refer to one of two things when it comes to websites. The first being malicious code being served from a website and the second being malicious code located in a website’s files or database.

One reason why they might refer to any indication of a hack as being malware is to make the issue sound more serious than it really is and make you more likely to pay them for some security service. As an example of that, in one instance where we were contacted about a claim of theirs, what they were claiming was “critical” severity malware was just a link to another website. What was even supposed a problem with the link, which was included with a comment on a blog post, wasn’t clear since the domain name of the website being linked wasn’t registered anymore, but saying there is an issue with a link would sound a lot less concerning than “malware”.

Someone that they recently contacted with a claim that their website contained malware, had also been told by the SiteLock representative that called them that Google would “shut down” their website due to the issue. In reality Google doesn’t shut down websites and since the issue wasn’t actually malware they wouldn’t even block access to the website if they had detected the issue.

That person had then run the website through the Sucuri SiteCheck scanner, which also claimed the website contained malware. Sucuri also goes the over top in making issues seem as bad as possible to sell their service:

The small text there states:

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

What they actual identified there is what we would describe as hidden spammy content, which is a less serious issue than malware. It also didn’t contain any code, JavaScript or otherwise, despite Sucuri labeling it as “Known javascript malware” and stating that “Malicious Code Detected”.

While Google might penalize a website for that hidden spammy content like that, it isn’t going to do any harm to people visiting the website.

If you visit the link they provide for the details of that type of issue, http://labs.sucuri.net/db/malware/spam-seo.hidden_content?24, the description doesn’t mention “malware”, but does mention “hiding spammy content”:

Hiding spammy content (links, spammy texts, etc) on legitimate web pages is a common black hat SEO trick. It helps use existing site pages in black hat SEO schemes while keeping it invisible to site visitors and webmaster.

There are many techniques that help hide certain parts of a web pages. Most of them include either CSS or JavaScript. The simples is placing spammy content inside a div tag with the display:none; style.

Another interesting similarity between those two companies, which seems like it ties in to the overstated impact of the real issue on this website, is that security services provided by both SiteLock and Sucuri don’t seem to be focused on actually securing websites. Instead they seem to be more focused on trying to deal with after effects of the website having been hacked after having left the websites insecure. That all could be an indication the companies don’t have a good understanding of what they claim to have expertise in or that they are just interested in trying to get as much money out of people instead of being focused on improving security.

Sucuri’s Scare Tactics on Display with Their Claim That the Washington Post’s Website Contains Malware

Back in March we put out a post about the, now GoDaddy owned, website security company Sucuri’s SiteCheck scanner falsely claiming that our website was “defaced” and that “malicious code was detected”. That claim was based on a page on our website being named “Hacked Website Cleanup – White Fir Design”.

We recently had someone contact us that ran across our post after having Sucuri make a similar false claim about their website. In their case they were contacted by their web host SiteGround with the Sucuri results. In looking in to what was going on we found a post on SiteGround’s blog from March announcing they were going to start doing that. What they say about Sucuri is disconcerting:

There are several reasons to change our scan partner from Armorize to Sucuri. First, Sucuri is one of the most respected companies in the website security field. In addition, we have been working in partnership with them for several years. We have relied on their expertise for solving numerous complex security issues. And last, but not least, many of our clients’ websites have also been cleaned by Sucuri from malicious code over the years. That is why it was only natural that we extend this already successful partnership and make it cover the daily site scans too.

If they are truly one of the most respected companies in the website security field, that doesn’t same much about the field. Not only has their scanner been quite bad for years, but what we have seen with their clean up of hacked website hasn’t been good either, an example of that involved a website they claimed clean despite compromising credit info entered on it. They also don’t seem to understand the basics of security. And about a year ago they accidentally made a good case for avoiding themselves.

But let’s get back to their scanner, which SiteGround is now helping to cause more people to interact with the results of.

Scare Tactics

If you go to the web page for Sucuri’s Scanner you will notice that just below where you enter an address to have it scanned, it states:

Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

That sound reasonable, the problem is that it doesn’t in any way match how they present results from it. Here is what it looks like when they think a web page contains malware, as can be seen with a page from the Washington Post’s website, which we happened to submit to test out something related to the false defacement claims:

Among the very scary sounding things they have on their are:

Warning: Malicious Code Detected on This Website!

Status: Infected With Malware. Immediate Action is Required.

Malware Detected Critical GET YOUR SITE CLEANED

Get Immediate Clean Up CLEAN UP MY SITE

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

Though looking at the evidence presented to back that all up they seem a lot less sure there is even an issue as it is stated that “Anomaly behavior detected (possible malware)”.

When looking at the malware definition given, MW:ANOMALY:SP8, things are also unclear, as first they refer to what it detects as being “suspicious” and “possibly malicious”:

A suspicious block of javascript or iframe code was identified. It loads a (possibly malicious) code from external web sites that was detected by our anomaly behaviour engine. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

But then states their “engine found it to be malicious”:

This is not a signature-based rule, but looks at anomaly behaviors on how the web site is being loaded. Our engine found it to be malicious (related to remote includes).

It isn’t reassuring that on one page they both claim detecting this would mean that something is malicious and that it is only possibly malicious.

Get a Second Opinion

We would strongly recommend that web hosts don’t do what SiteGround is doing here and further spreading Sucuri’s inaccurate results. It would probably be best to avoid any web host that does something like this as well, since it doesn’t show they have an interest in best helping their customers or that they are doing proper due diligence.

If you do get sent results by your web host that claim your website is hacked, whether they come from Sucuri or another company, we would recommend that you get a second opinion as to their veracity from a more trustworthy company that does hack cleanups. We are always happy to do that for free and we would hope that others would too.

Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced

In the past we have discussed the fact that the web security company Sucuri’s scanner SiteCheck is rather poor at what it does, including falsely claiming that a website was infected with malware due to a bad false positive and claiming that a website was running on outdated software without knowing if that was true.

We just ran across another example, which this time involves our own website. On a post about them astroturfing from four years ago, we recently got this comment:

The Scam is strong with this one

https://sitecheck.sucuri.net/results/www.whitefirdesign.com

If you follow that link as of us writing this you will see that the status of our website is “Website Defaced (hacked)”:

Not only is it not actually defaced, but there reason for claiming that is just baffling, as the claim is based on the title of one of the pages on our website being “Hacked Website Cleanup – White Fir Design”:

It would appear they are claiming that a website is defaced just due to the words “hacked” and “website” in the title of a page, which clearly isn’t reliable to determine if a website is defaced. On top of that they are claiming an issue that doesn’t actually exist is of “Critical” severity.

We of course can spot that their claim was wrong since we deal with websites that are actually hacked all the time (and it was quite obvious at least in this case), but based on plenty of experience dealing with people that think that their websites have been hacked, we would guess that a lot of webmasters and owners could be mislead by this type of thing, leading to some of them paying Sucuri to clean up a hack that didn’t exist.

Sucuri Also Misrepresents Other Companies Data

The problems with their scanner don’t end there as the results for our website show. They also mention that our website is “Blacklisted”:

Looking into the details of that they claim the website is blacklisted by Norton Safe Web:

The reality is lot less alarming then they claim. Here are the Norton results:

What seems rather relevant to that is this part:

Web sites rated “Caution” may have a small number of threats and annoyances, but are not considered dangerous enough to warrant a red “Warning”.

So unlike Sucuri they don’t think that it should get a red warning.

So what are the threats on our website? There are not any, instead Norton’s scanner doesn’t understand the difference between showing malicious code in harmless form on one of our website’s pages, with actual malicious code on a website (the poor quality of website scanners isn’t limited to Sucuri):

While Sucuri warning if websites are actually blacklisted by other services would be useful, it should be accompanied by a disclaimer that the other services results may not be accurate instead of overhyping the issue to try to sell their services.

A Better Way to Get Your Website Check to Confirm if it is Hacked

Based on all that there is plenty of reason to avoid Sucuri’s SiteCheck, but what is a better way to confirm whether your website is hacked if you believe it is? The simple answer is to contact us, as we are happy to do a free check to confirm whether a website is hacked or not. We don’t rely on low quality automated tools to do that, since they produce poor results as was shown above. Instead we will discuss the situation with you and then do any necessary checking to look into the possible issue. For websites that are hacked we will also provide a free consultation on how best to deal with the issue, instead of trying to scare you into using our services, unlike Sucuri.

Questionable Support Advice on Dealing With Hacked Websites From WordPress and Norton Safe Web’s Mystery Blacklisting

One of the things we do to keep track of vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service is to monitor the WordPress support forum for threads related to them. In addition to threads that actual relate to that issue, we frequently run into to other security related threads. In doing that we noticed that in many threads a reply containing the same advice is given, which consisted mainly of a series of links. Some of the pages linked don’t seem to provide the best information, so we wondered if the various members providing that reply were actually aware of what they were linking to or if they were just repeating something they had seen others saying. While looking into another issue involving the forum we found that the source of the message was from a series of pre-defined replies for moderators.

While looking into another thread that came up during that monitoring of the forum we came across evidence that one of the links they include, a link to something called Sucuri SiteCheck, may not be the most appropriate to include. In that thread the original poster had written:

Sucuri is showing my site as harmful and is asking for $16/month to fix it, yet my site seems fine, traffic is normal and I have no log in / access problems on any browser or device.

When we went to look to see why Sucuri was claiming the website was harmful, the SiteCheck page was light on details and high on pushing you to use their service:

sucuri-sitecheck-results

Looking at the other two tabs of information, the only issue that they were identifying was that website was blacklisted by “Norton Safe Web”:

sucuri-sitecheck-blacklist-status

It seems to us that a service would be careful in situation where they are not themselves detecting anything malicious, but Sucuri seems to be labeling the website as “Site Potentially Harmful” and “Site Likely Compromised” based only on the fact that Norton Safe Web was blacklisting it. Based on our limited experience with Norton Safe Web, that would seem to not be appropriate because the results we have seen from it in the past have been rather poor.

Looking at what they are claiming to have detected with this website makes us more confident of the position.

Here is what they are reporting as of now:

norton-safe-web-report

You can see they are not claiming that there are any “computer threats” or “identity threats”, just an “annoyance factor”. What the “annoyance factor” isn’t really further explained, with the only information being that  a page is listed as having a “SWBPL” threat. There is no explanation what a “SWBPL” threat is either on the page or through a link. In searching around to try to find out what that is, we found that we were not alone in trying to figure that and that even some people at Norton did not know what it is. The most detailed information we could find was in a thread on the Norton website, where it was stated that:

SWBPL is one of the threat type in safeweb which is based on telemetry which we collect from 3rd party vendor feeds. Since these sites are classified based on the static data it is pron to few FPs

So Norton is apparently warning about the website based on unidentified third-party’s data, which is also apparently prone to  a “few” false positives. That doesn’t really seem like something that should be the source for Norton warning about a website and certainly shouldn’t be used by someone else to make claims as to the security of the website.

Looking at the URL they identified as being a “SWBPL” threat, visiting it normally just returns a “Page not Found” message and when visiting it in some other ways didn’t produce any different result. Without having access to the backend of the website we can’t rule out there is some issue with it, but from the outside there is nothing we could find harmful about it.

We hope that WordPress will review the boiler plate message they provide to those with questions about hacked websites and consider if they are providing the best information in it.