Profile cover photo
Profile photo
Unmask Parasites
Website security and Unmask Parasites updates
Website security and Unmask Parasites updates


Post has attachment
Just wanted to document some latest changes in Darkleech behavior that may help you detect it.

IE=EmulateIE9 to turn on the IE 9 compatibility mode in new IE browsers

"_SESSION_ID" cookie for 1 week so it doesn't solely rely on IP blacklisting

Post has attachment
When we see malicious code on web pages, our usual suspects are:

* Vulnerabilities in website software
* Trojanized software from untrusted sources (e.g. pirated themes and plugins)
* Stolen or brute-forced credentials (anything from FTP and SSH to CPanel and CMS)
* Cross-site contamination, or poor isolation from hacked sites on the same server.
* Server-level infections like Darkleech or Ebury.

But sometimes website infection vector is as exotic as a rogue browser extension on a site owner's computer...
My article on +Sucuri Inc. blog

Post has attachment
My new blogpost with speculations about doorway schemes that redirect back to search results.

Dumping unneeded traffic or second level of search engine optimization and traffic re-targeting?

Post has attachment
A new post from +Sucuri Inc.  in the series about contaminated
plugins from shady sources:

This one besides the legitimate stuff, created spammy sections on websites that installed it.

Previous post:

Post has attachment
My new post on the +Sucuri Inc. blog. It's about malware added to most of premium plugins that various shady sites redistribute for "free".

In the article, you'll find several examples of backdoors and unwanted ad scripts that can be found there.

Please, think what you install on your server. Software form unreliable sources may cause lots of trouble.

Post has attachment
A BadwareBusters thread about 30+ infected and blacklisted sites and an answer from +Caitlin Condon, StopBadware:
StopBadware can provide a bulk review of sites blacklisted by Google, yes. If you have more than 20 sites that are currently blacklisted by Google and you have cleaned them up, you can email bulkreviews <at>
We are only able to do this for sites on Google’s blacklist; we are unable to process bulk reviews for sites blacklisted by ThreatTrack Security or NSFocus

Post has attachment
Do you know Chinese fortune cookies? This malware reminded me of them.

Its algorithm uses some sort of a game of chance to determine whether to redirect you or not, and the final decision is delivered in an HTTP cookie. Moreover, it specifically checks for Chinese language and visits from Hong Kong sites (although just to turn them down).

Post has attachment
In response to the +Data Driven Security blog post that did an independent analysis of of the bitly data that I published in my article on +Sucuri Inc.  blog about how Darkleech abused Bitly URL shortening service and how I used Bitly API to collect data and estimate the scale of the Darkleech infection.

This time just a story about how I collected the data and worked with it. All data interpretations are in my previous article here:

Post has attachment
A popular Joomla extension JomSocial (that powers 160,000+ communities) has recently released a security update

The reason was serious -- their own site was hacked using a security hole in their product.

At this moment JomSocial is "unlisted" in the official Joomla extension directory as a "vulnerable extension"

Meanwhile, we see attack attempts that try to exploit this JomSocial vulnerabilities.

If you use this extension, make sure to upgrade it ASAP. And consider using a website firewall to be protected even during the window between the time when hackers begin to exploit some vulnerability and the time when you patch your system.

Post has attachment
My new post on Sucuri blog. It's about how hackers abuse popular web services, and how this helps security researchers obtain interesting statistics about malware attacks and even [temporarily] disrupt them.

Some highlights ( extrapolated data ):
* 303 infected servers
* 3.5 million iframe loads since the middle of December of 2013
* half a million malicious links created during that time
* web surfers from 196 countries were attacked during that time
Wait while more posts are being loaded