Back in March we put out a post about the, now GoDaddy owned, website security company Sucuri’s SiteCheck scanner falsely claiming that our website was “defaced” and that “malicious code was detected”. That claim was based on a page on our website being named “Hacked Website Cleanup – White Fir Design”.
We recently had someone contact us that ran across our post after having Sucuri make a similar false claim about their website. In their case they were contacted by their web host SiteGround with the Sucuri results. In looking in to what was going on we found a post on SiteGround’s blog from March announcing they were going to start doing that. What they say about Sucuri is disconcerting:
There are several reasons to change our scan partner from Armorize to Sucuri. First, Sucuri is one of the most respected companies in the website security field. In addition, we have been working in partnership with them for several years. We have relied on their expertise for solving numerous complex security issues. And last, but not least, many of our clients’ websites have also been cleaned by Sucuri from malicious code over the years. That is why it was only natural that we extend this already successful partnership and make it cover the daily site scans too.
If they are truly one of the most respected companies in the website security field, that doesn’t same much about the field. Not only has their scanner been quite bad for years, but what we have seen with their clean up of hacked website hasn’t been good either, an example of that involved a website they claimed clean despite compromising credit info entered on it. They also don’t seem to understand the basics of security. And about a year ago they accidentally made a good case for avoiding themselves.
But let’s get back to their scanner, which SiteGround is now helping to cause more people to interact with the results of.
Scare Tactics
If you go to the web page for Sucuri’s Scanner you will notice that just below where you enter an address to have it scanned, it states:
Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.
That sound reasonable, the problem is that it doesn’t in any way match how they present results from it. Here is what it looks like when they think a web page contains malware, as can be seen with a page from the Washington Post’s website, which we happened to submit to test out something related to the false defacement claims:
Among the very scary sounding things they have on their are:
Warning: Malicious Code Detected on This Website!
Status: Infected With Malware. Immediate Action is Required.
Malware Detected Critical GET YOUR SITE CLEANED
Get Immediate Clean Up CLEAN UP MY SITE
Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.
Though looking at the evidence presented to back that all up they seem a lot less sure there is even an issue as it is stated that “Anomaly behavior detected (possible malware)”.
When looking at the malware definition given, MW:ANOMALY:SP8, things are also unclear, as first they refer to what it detects as being “suspicious” and “possibly malicious”:
A suspicious block of javascript or iframe code was identified. It loads a (possibly malicious) code from external web sites that was detected by our anomaly behaviour engine. Those types of code are often used to distribute malware from external web sites while not being visible to the user.
But then states their “engine found it to be malicious”:
This is not a signature-based rule, but looks at anomaly behaviors on how the web site is being loaded. Our engine found it to be malicious (related to remote includes).
It isn’t reassuring that on one page they both claim detecting this would mean that something is malicious and that it is only possibly malicious.
Get a Second Opinion
We would strongly recommend that web hosts don’t do what SiteGround is doing here and further spreading Sucuri’s inaccurate results. It would probably be best to avoid any web host that does something like this as well, since it doesn’t show they have an interest in best helping their customers or that they are doing proper due diligence.
If you do get sent results by your web host that claim your website is hacked, whether they come from Sucuri or another company, we would recommend that you get a second opinion as to their veracity from a more trustworthy company that does hack cleanups. We are always happy to do that for free and we would hope that others would too.