SiteLock and Their Partners Including Bluehost and HostGator are Still Producing Bad Results

Earlier this week, we interacted with someone dealing with the mess that is having SiteLock brought in to clean up a malware infected website. They are not alone in that. Here was a review of them left on Trustpilot in October:

This is a company with no service and it’s a scam! It has been six weeks since I purchased their service and my site is down for the third time during their ‘monitoring’. I just keep receiving generic/automated emails about the removal of threats every two days or so while my website is still down!
I purchased it through Blue Host. I am puzzled as to why BH is recommending Site Lock. Service on both sides is mediocre or nonexistent. BH agents who barely spoke English were arguing with me with raised voices that I needed to be patient and wait until they had time to fix the website! I don’t want to use and be associated with either one of them! Site Lock is a scam and BH is not taking responsibility for recommending it. Thoroughly frustrated.

The person we were interacting with also is a customer of Bluehost. That reviewer wondered why they recommend SiteLock. The answer is pretty simple. Bluehost gets paid by SiteLock if they are hired.

It isn’t just Bluehost. Here was another review from October:

I was called up by “hostgator security” stating that my site had Malware. I asked them to revert it to a backup, and they said it would be $50 and no guarantee of fixing the malware, but I should use “Site Lock” instead. With 2 domains it would be $500, they would remediate the malware immediately, and then provide 12 months of monitoring service. Normally, I’d just handle malware myself, but I’ve got alot going on, so I decide to let these professionals handle it. I ask them what happens if my site goes down during this process, and they assure me that would not happen because the only files that would be removed is malware. I ask, ok, what if some kind of accident happens and it goes down anyway? “They will help you, they are on top of it.” Okay great. I pay the money, for the next 24 hours I get a dozen emails about site scans happening. I check the next day, and both of my websites will not load. I call the Site Lock number and they tell me there are 19 directories for which I have not paid for Sitelock, and he thinks the malware is hiding there, and I need to pay for service for each of those directories. 19 + 2 X $250 is $5,250, which is as silly, ridiculous, halfbaked and outrageous a number as is the premise that more site scans will fix the problem. I come to find out Hostgator and sitelock are two separate companies. This is not a professional team that works together to remediate malware, in my opinion. I call back the hostgator rep who sold me the services, which atleast I’m grateful he was easy to get a hold of, and I’m told he will open a ticket which may take up to 24 hours to get a response to. These are active business websites with advertising running to them. I should not have trusted Hostgator, and I should not have trusted Sitelock. After this is all over, I’m going to look at hosts who don’t charge to revert backups.

There were plenty of other Trustpilot recent reviews that are similar. This isn’t really news to us since we used to have a lot of interactions with people who had hired them to deal with hacked websites or who had web host were pushing to them to, where the same issues came up.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

MalCare Customer Indirectly Warns It Fails to Protect Websites From Being Hacked

We recently were contacted with a strange request. Someone was asking us for a refund for a hack cleanup plan. We don’t have any such plans. We provide onetime cleanups and we only charge after the hack cleanup is completed. It turned out that the person had somehow run across a two-year-old post of ours warning about a provider named Malcare, titled MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers, and then contacted us as if we were Malcare.

The request for a refund mentioned things that were in line with what we were warning about two years ago. They wrote this in part:

 Your plan was not working out as planned. I am still cleaning up a lot of damage since my site was hacked, I had to resort to a different plan.

And this:

Looking at the backup you had on your site, the database was filled with numerous users, of which I did not know. I had to clean up my database manually.

After dealing with that, we were curious to see if other of their customers have been complaining about their service recently. What we saw was that people are still being misled by them in to believing that their service offers things it doesn’t, while another of their customers who are not criticizing the service refuted that.

Here is part of one recent customer review:

Definitely a game-changer for our websites. Full removal of hacks and complete protection from current and future attempts.

The customer obviously doesn’t know that it will actually offer complete protection from future hacking attempts. The service can’t do that, but everything we have seen it won’t even do a good job of the protection it could possibly offer. Don’t take our word for that. Here was part of another recent positive customer review:

MalCare and the team behind it have gone above and beyond their stated service to help me restore my website from malicious hacks of my WordPress website. On more than one occasion they were able to scan and clean my site of infected files. Anyone who has a website knows how horrible it feels to learn that your site has been hacked.

Based on that, their website has been hacked at least once while using MalCare’s service. If that wasn’t the case, they wouldn’t have been cleaning it up multiple times, unless they failed to properly clean it up the first time.

Review of Wordfence Response Shows It Is a Terrible Option For Getting a Hacked WordPress Website Cleaned Up

The popular WordPress security plugin Wordfence Security is marketed with the claim that it will protect websites from being hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.

Despite that, the developer sells two very expensive services for dealing with websites that have been hacked while using that plugin. That seems like it should be a big red flag to avoid both the plugin and those services, but isn’t for many, which can have significant consequences. A recent review tells that story.

The review involves a website that was presumably hacked while using Wordfence’s plugin and then they were hired to deal with that:

Horrific (and non-existent) “emergency response”. We had two sites protected with the WordFence premium plugin. Both came up with white screens of death this morning, so we went to WordFence as a ‘trusted’ provider to hopefully help us get back online.

It isn’t actually clear based on the review that the website was hacked, as opposed to some other issue causing the website to be broken and have the “white screen of death shown”. Wordfence should have made sure that there really was a hack before taking any money to do a hack cleanup. We always do and we would recommend avoiding any provider that doesn’t.

Instead, they got this person to pay way too much for a hack cleanup through their Wordfence Response service:

We fell for their $950 (NINE HUNDRED AND FIFTY) dollar “emergency” response plan where they are supposed to dedicate some urgent resources for “mission critical” websites to get you back online fast.

That is significantly more than we charge for a WordPress hack cleanup and we are not the cheapest option.

For all that money, you are not getting a response in line with what is supposed to be provided. Instead, they only promise to get back to you within an hour and address the hack within 24 hours:

Wordfence Response is for mission-critical WordPress websites that require 24/7/365 security monitoring with a 1-hour response time and 24-hour remediation.

It usually only takes a few hours to handle a cleanup, so them getting it done within 24 hours isn’t a great result. Perhaps that is why they emphasize responding within an hour, since that makes it sound like a better service. The reviewer’s result, though, was worse than that:

It look over an hour for the representative to come back and tell us that because we had 4 other subdomains completely outside of public_html on the server, that we would have to pay FOUR MORE TIMES (yes, $4000 more) to get them to even start looking at it.

So it took over an hour to respond that the overpriced service was going to be even more expensive.

After agreeing to pay the outrageous sum, things didn’t even move forward:

SEVERAL HOURS LATER (now NINE HOURS) after the emergency ticket was crated, a new “Director of Information Technology” sends us an email that they can’t help us at all because there are plugins that have “obsufated code” in them and so they can’t help us. They don’t bother to even tell us what plugins (we suspect Membermouse, some plugins do this), or even offer to simply remove that plugin and continue their search and help.

Instead, they send that email and then ignore us. So now $5000 and 9 hours later we still have a broken site and no emergency response from Wordfence.

It isn’t uncommon to deal with legitimate obfuscated code on a hacked website. It makes things slightly more difficult, but when you are overcharging for hack cleanup to the degree Wordfence is, it wouldn’t be a real issue.

The description of their service has some other significant red flags. For example, here is how they describe the cleanup process:

When a security incident impacts your site, our team works directly with you and securely clones your site onto a forensic server. Safely away from your production website, our team analyzes the incident using tools, processes, and data that have taken years to develop. We find the attack vector, track down indicators of compromise, and remediate your site.

Beyond a slew of buzz-words, what they are describing is either not accurate or is going to produce bad results. Usually a key part of cleaning up the hack and trying to figure out how the website involves reviewing log files, so copy the website isn’t going to do anything for that. Also, they are not being honest about an important reality, which is often you can’t actually determine how the website was hacked or, to use their parlance, find the attack vector. Surely they must know that, but somehow as a security company they don’t feel that being honest with perspective customers is important. It really isn’t surprising to then hear the result once they have gotten people’s money.

This Doesn’t Inspire Confidence in cPanel’s Understanding and Handling of Security

One problem that companies in the web security space have to deal with is the large volume of inaccurate security advice that is out there, much it coming from people that you should be able to rely on, including web security companies.

One company that you would hope that you could rely to provide accurate security information would be company behind the widely used cPanel web hosting control panel. That isn’t the case with something we ran across recently.

The answer to a Q&A question, “What is the anonymousfox address on my system? ” on their website starts out:

Anonymousfox is a WordPress vulnerability where users are able to exploit vulnerable WordPress plugins to get access to the account’s files on the system. While not an issue with the cPanel software, the attacker can gain access to that particular cPanel account by editing the contact address file and then resetting the account’s password.

It isn’t a great sign that WordPress is miss capitalized there, but the rest of that doesn’t even make sense. If the vulnerability is in a WordPress plugin, then it isn’t a vulnerability with WordPress, but with the plugin. Also, what is described there sounds like it isn’t a WordPress specific issue, as it sounds like an attacker that gains access to the website can change a cPanel account file, which wouldn’t be something that would be WordPress specific.

Skipping past a paragraph you see this:

There are excellent forums posts that have additional details you may want to read at the following links:

 

https://forums.cpanel.net/threads/question-and-tips-about-anonymousfox.677765/

If you follow that link you will find a cPanel employee wrote this:

This kind of activity can be achieved by a compromised password, script or plugin used on the site. It isn’t just WordPress related. I would strongly suggest you not only enlist the services of a qualified system administrator to audit your installations and security but you must identify the point of entry or the issue will continue to occur.

If you read through the rest of the information on that page, other people are stating they ran into the issue despite not using WordPress, so it is hard to understand how that is being cited and yet the information in it was ignored and the information provided in the answer is incorrect in the way it is.

What seems of more concern is that someone with just access to a website in the cPanel account could edit that file, a concern that was raised in comments on that linked page.

If GoDaddy’s “Firewall Prevents Hackers” Why Would You Also Need Multiple Hack Cleanups?

We often get asked about whether people should use a service that claims to protect their website from being hacked. Part of our answer is that we have seen no evidence that these services actually provide that protection and plenty that they don’t, including being hired to clean up hacks on websites using those services.

That these services don’t work isn’t something that is really hidden, often the marketing material service for them suggests that they don’t really work. Take GoDaddy’s Website Security service. That service has three price tiers. With all three tiers, one of the bullet points is “Firewall prevents hackers.” In the lowest tier another bullet point is “Annual site cleanup and remediation” and in the other two it is “Unlimited site cleanups.”:

If the firewall prevents hackers, why would you need a hack cleanup?

Even if you want to give the benefit of the doubt to GoDaddy, that say they are thinking people would sign for the service when their website is already hacked or they are advertising hack cleanups, even though you wouldn’t need them, since they are confident the service works, it makes no sense that they wouldn’t offer unlimited hack cleanup with the lowest tier of the service as well, since even considering those possibilities, there would only need to be one hack cleanup.

That contradiction doesn’t just appear in that spot. In the textual information on the same page, they claim to take a “preventative approach” that “blocks attacks”, but immediately pivot to an indication that their service doesn’t accomplish that:

Take a proactive, preventative approach to the safety of your website. The Website Security firewall blocks attacks on your site while its malware scanner regularly searches your site for malicious content and alerts you if any is found. All you need to do is submit a malware removal request, and our expert security team will get to work cleaning* up your site.

What is completely missing from that page is any evidence, much less evidence from independent testing, that their service is effective at stopping attacks or detecting malware. Based on our experience having been hired to re-clean websites they were supposed to have protected and cleaned, the results of such testing probably wouldn’t be good.

GoDaddy Hosting phpMyAdmin on Server With “Broken Encryption” With F Grade From SSL Labs

One telling example of the web security industry’s lack of concern for security is how web host GoDaddy has continued to have rather poor security while first being partnered with one web security company, SiteLock, and then owning another one, Sucuri.

An example of that poor security came up a few months ago while we were dealing with a hacked website where Sucuri had not properly secured the website. We meant to post about that at the time, but then forgot about it until we were dealing with another hacked website with a GoDaddy connection worth posting about.

While working on the hacked website, we accessed the phpMyAdmin database administration tool that GoDaddy provided and found a situation we can’t recall seeing before with a web host. That would be the SSL encryption was “broken” on the server hosting phpMyAdmin.

If you access that in Google’s Chrome web browser the connection is listed as “Not Secure”:

You are warned that “Your connection is not fully secure” and that:

This site uses an outdated security configuration, which may expose your information (for example, passwords, messages, or credit cards) when it is sent to this site.

When looking at the Technical Details of that issue with Firefox, it states:

Broken Encryption (​TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.0)

If you run that address through the SSL Labs tool, the server gets an F grade:

The domain name being used for that insecure server, secureserver.net, which isn’t an accurate name.

Cyber Ninjas, Colonial Pipeline, and Your Website’s Security

What does an election audit in Arizona and a pipeline operator have to do with the security of your website? It turns out a lot.

Cyber Ninjas

Recently an audit of the US presidential election votes in Maricopa county in the state of Arizona started. The audit has noted for being poorly run, violating rules to ensure integrity of the process, and involving strange things, like trying to check for the presence of bamboo in ballots.

That doesn’t sound like it should relate to the security of your website and it shouldn’t, but it does. The reason for that is that the company in charge of the audit, Cyber Ninjas, is a cybersecurity company. They have no experience in doing an election audit, which is good reason for them not to be doing an election audit, but also is probably a good reason they shouldn’t be doing security either.

What seems like it should be a basic element of being a professional would be to stick to what you have expertise in. An architect wouldn’t agree to take on demolishing a building just because they know how to build them. When it comes to the security industry, we frequently see people involved in things they clearly shouldn’t be. In fact, very few people in the industry seem like they should be anywhere near it. Looking at Cyber Ninjas website, they are claiming to offer a very wide range of services, which might be a sign they are offering services without the needed expertise to properly handle them.

The other thing that stands out for us about Cyber Ninjas website is how it looks so obviously untrustworthy. A lot of it is the same stuff you see repeatedly on security companies’ websites, for example, there is the obligatory stock photo of some dressed like they are going to break in to a building at a computer:

We have a hard time understanding how anyone would look at something like that and not avoid that company, but people don’t seem to feel that way. Even the name seems like it would ward people away from the company, but it doesn’t seem to.

Part of that text next to that image reads (the weird characters are in the original):

The headlines are increasingly filled with articles about hackers compromising systems and stealing data. While it often seems like they must be utilizing some dark ninja magic to accomplish their amazing feats; the reality is that most security breaches are conducted utilizing types of security vulnerabilities we’ve known how to prevent for over 10 years.

While that is mostly true, curiously if you head over to the website’s services page, the company doesn’t seem to be focused on actually addressing that. But instead on selling people on services that don’t directly address the issue and indirectly address it an ineffective way. One of the three things they highlight, and the one they provide the most specificity, is ethical hacking:

From what we can tell, ethical hacking is mostly a rip-off. You end up paying a lot of money to inefficiently review things and the issues found are not resolved.

Cyber Ninjas has gotten a fair amount of coverage because of their involvement with the audit, but there has been very little of it from security journalism outlets. What little there has been has been devoid of any discussion of what this says about the legitimacy of the security industry. There is probably a good reason for that, as companies like Cyber Ninjas are frequently the only sources for security journalists stories, despite being companies, that like Cyber Ninjas, seem like a serious journalist should be warning about, not relying on. In line with that, security journalism is quite bad, which brings in the next part of this, a pipeline company, and gets back to a claim Cyber Ninjas made.

Colonial Pipeline

A ransomware situation involving a US pipeline operator, Colonial Pipeline, has received a lot of news coverage. There was a claimed detail that seems rather important from a wider security perspective. Colonial Pipeline wasn’t keeping their software up to date:

It is important to note that the claim about one piece of software being the “most likely culprit” is just speculation. What is important about that is that keeping software up to date is one of the most important security steps and one that often isn’t done.

While usage of outdated software that is known to be insecure is often the source of hacks we deal with and the source of high-profile hackings, both security companies and security journalists seem rather uninterested in that be better dealt with. For security companies, that could be explained by it being bad for business. Right now they can charge a lot of money for security services that require little work and don’t actually have to work (you might have noticed despite all the money being spent on security, security doesn’t seem to get better). The reason that security journalist do this is harder to explain.

Improving Your Website’s Security

Improving the security of websites, and security in general, is more difficult than it should as long as the security industry and security journalists are taking actions counter to actually improving security. But to improve security, your focus should be addressing real threats with proven solutions. Keeping software up to date is a proven solution since it will avoid systems getting hacked because of vulnerabilities that have been fixed. By comparison, while security services frequently make extraordinary claims about the results they deliver, those are almost never backed up with evidence of their effectiveness. Based on plenty of experiencing looking at them in different ways, that is in part because they don’t deliver the results claimed, in many cases, if you just look at how they are advertised that becomes clear.

So when looking to improve security, you should ask what is the evidence that something will improve security versus looking at unsupported claims of amazing results.

Also, if claims sound extraordinary, they probably are not true.

What is Magecart? It Isn’t a Thing.

When it comes to the security of websites, and security in general, there is a lot of focus on catchy names for things, not a lot on actual security. A great example of that is Magecart. What is Magecart? Well, it really isn’t anything. Instead, it is a term used for a whole host of different things, which makes it useful selling security services and creating press coverage, but not for actually resolving the underlying issues.

Here is one description of Magecart from security news outlet, CSO Online:

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information.

Elsewhere, a security news outlet described it as being competing groups:

here’s no clearer indicator that the Magecart scene is getting crowded than discovering that some groups are now sabotaging each other’s code

Elsewhere it is described not as an entity, but as a type of attack:

Every day we hear about some new threat or vulnerability in technology, and the data harvesting attack known as “Magecart” is the latest threat.

Elsewhere, in a security news outlet that is part of a security company, you will find it claimed that only impacts Magento websites:

So-called Magecart attacks utilize web injections to deploy JavaScript code on Magento websites that skims and steals payment card information from retail website customers.

But the very next paragraph mentions “high-profile targets”, which didn’t run on Magento:

Once believed to be the work of a single cybercrime gang hitting high-profile targets including Ticketmaster and British Airways, Magecart-style attacks have now evolved and have been adopted by numerous threat groups.

We could go on, but you get the point.

What You Can’t See is Ignored

To the extent that these disparate descriptions of Magecart have any common feature, it is that involves JavaScript code that captures information, like payment details, during the checkout process on a website. That isn’t the only way that hackers can capture that information, as they could capture on the system that it submitted, which is often the same system serving the website where the checkout is occurring. That wouldn’t be possible to directly detect from the outside, generally, which seems to explain why there is so much focus on only part of the issue.

Even what you can detect is only the end result of a hack, so while you will find lots of stories about Magecart, there is very little on how the hack occurred. If you don’t focus on how they occurred, they you are not likely to address those issues. Not surprisingly, the hacks keep occurring. That is bad for just about everybody except the people pushing the Magecart narrative, since security companies can sell more products and services this way (which don’t resolve the issue seeing as the hacks continue) and journalists get easy stories.

Indirect Protection at Best

For this type of attack to work, a hacker has to somehow get malicious JavaScript code to run on the checkout page. That would either occur by placing it directly on the website handling the checkout or some other websites that serves up JavaScript on the checkout page. In either case, a hacker has to gain access to systems to do that. To put that another way, the way to prevent this would be to focus on the server-side, but here was the start of a recent article in a security news outlet written by an employee of a security company:

With e-commerce displaying no signs of slowing down since the start of the COVID-19 pandemic, the Magecart cyber-criminal syndicate is thriving. By evolving their web skimmers to become harder to detect and avoid, they have been successful in breaching several high-profile businesses.

After years of discovery and research by the cybersecurity industry, we are at a stage now where companies have started looking for effective protection against this serious threat. Typically, when security teams understand how web skimming attacks operate and how they take advantage of the huge security blindspot that is the client-side, they first turn to CSP (Content Security Policy).

Focusing on the client-side would be, at best, an indirect way to handle this and wouldn’t handle the situation at all if hacker collects the data when it is submitted to the website. There is simple reason why that person might present that as the focus, the company they work for provides client-side solutions.

Need Help Securing a Magento Website?

If you have a Magento website that is hacked, we can help you to actually get it cleaned and secured. If need someone to handle keeping Magento up to date, which goes a long way to keeping it secure, we can take care of that for you.

Sucuri Claims to Know The Most Common Cause of Website Hacking Despite Not Determining How They Are Hacked

We are often brought in to re-clean hacked websites after another provider, Sucuri, has been hired to clean them, but has intentionally cut corners, leading to the website still being hacked after they have claimed to have cleaned it up. In the most recent instances we were brought in, the website was still hacked, though to a more limited extent than usual. But what stood out more that not only was the website still also insecure, but it was still insecure because of Sucuri’s parent company, GoDaddy. That is something Sucuri would have noticed if they have done one of three key components of a proper cleanup, trying to determine how the website was hacked and fixing that.

What makes the lack of doing that stand out more, is that an email sent out by Sucuri after their cleanup made this claim:

Out of date software is the most common cause of website compromise. It’s highly recommended to get that updated as soon as you can.

So clearly they believe you can determine how websites are hacked, but they don’t do that. Beyond that being a problem to get things properly cleaned, it also would it make hard for something they claim to do right at the top of their home page, namely preventing future attacks:

We fix hacks and prevent future attacks.

How do you prevent future attacks if you don’t know how previous ones were actually done? In other instances we were brought in, the website was already using Sucuri’s service when they were hacked, so clearly their prevention didn’t work, but Sucuri wasn’t interested in figuring out what went wrong.

GoDaddy’s Insecure Hosting

The remaining piece of the hack that they missed were admin accounts for the website created by a hacker or hackers. Looking in to how those got there would be part of trying to determine how the website was hacked. If you actually do that work regularly, as we do, then what you immediately notice is that the accounts don’t look like they were created through the normal process in the software being used on the website, since most of the details, like when the accounts were registered, were empty. What that usually means is the hacker had direct access to the website’s database.

If the hacker had access to the database, that most likely mean they were able to get access to the credentials for the database. A type of vulnerability that could provide them with that information is one that is widely exploited when it exists in software. We rarely see websites that have been hacked due to that type of vulnerability, because in most cases the hacker doesn’t have a way to directly connect to the database to then use the credentials.

With this website, though, we confirmed that you could remotely connect to the database. The vast majority of websites don’t need to the database to be remotely accessible and they normally are not, since it introduces a security risk with no upside for almost all websites. Fixing that would be something that Sucuri should have done, if they were doing things properly instead of cutting corners. When we went to see about doing that we found it was already supposed to be the case, as the database wasn’t supposed to be able to be connected to remotely:

It wasn’t a one off issue, as another part of the work Sucuri failed to do was to update the software on the website. When went to work on that we created an additional database to test the upgrade and it was also remotely accessible despite being set to not be.

That wasn’t the only security issue we ran across with the hosting account, as we will discuss in a future post.

What really stands out is the website is hosted by GoDaddy, which owns Sucuri. Is it any wonder that security is so bad, when not only does a security company not do the basic work they should do, not only is a web host failing on basic security, but when the two are part of the same company.