A few months ago, we embarked on a side project focused on the proactive detection and alerting of compromised websites, something that has been on our roadmap for a while as part of Scalar One Cloud Platform. Our initial goal was to develop a tool that could preemptively evaluate web page integrity by intelligently analyzing its behavior in the presence of real visitors. This approach, previously applied in fraud prevention for advertising to identify cloaking and other malicious techniques, seemed promising for our objectives. To validate our approach, we created a rudimentary bot, proof of concept, designed to mimic a real visitor on a desktop device, navigating websites and performing basic actions, in a very rudimentary manner, such as visiting links from above-the-fold after a small delay, leading further into the site tree on the same domain.
The primary task of the proof of concept bot was to detect two common breach indicators: off-domain redirects, where a visitor is redirected to an entirely different domain, and popups or popunders that cause the visitor to leave the original site. Our target audience was websites older than a year, with a specific focus on those using WordPress.
Over the course of several months, our bot scanned nearly 150,000 WordPress websites. The data collected from each session revealed some compelling and revealing insights. Our analysis showed that 4.92%, or 7,380, of the websites redirected our bot to an offsite domain at least once.
Notably, 88% of these redirects occurred during the first or second visit, indicating a strategy to catch new visitors off-guard. The remaining redirects happened after a few more interactions, such as the first click on a site, with behavior patterns varying slightly.
Further scrutiny of the redirect targets revealed that approximately 12% of these domains were inaccessible, likely due to being blocked by some party. The majority of redirects led to various sites, predominantly phishing and advertising-related abuse sites. This pattern indicates a widespread exploitation of compromised websites for malicious purposes.
One interesting aspect of our findings was the sophisticated detection avoidance mechanisms employed by many of the compromised sites. These sites often implemented measures to make abuse detection more challenging. Common tactics included serving redirects only once per visitor IP address or using cookies and fingerprinting techniques to prevent repeated detection of the issue.
In addition to redirects, our bot also encountered another significant threat: drive-by downloads. Approximately 0.7% of the total sites visited attempted to initiate these downloads, likely involving infected files intended to compromise the visitor's system. This discovery highlights a critical vector for malware distribution.
A deeper investigation into a randomly selected sample of compromised sites suggested that the vast majority were small to medium-sized business websites. Based on our observations, it appears that many of these sites do not follow rigorous maintenance processes. This lack of maintenance leaves them vulnerable to exploitation.
To enhance the security of WordPress sites, we offer several key recommendations. First, ensure that your WordPress installation and plugins are always up to date. Second, avoid installing unnecessary plugins, as each additional plugin can introduce potential vulnerabilities. Finally, regularly inspect your website for any unusual activity or changes.
Our research into the WordPress ecosystem suggests that while significant efforts are being made by threat intelligence and security companies to mitigate exploits, the issue may be more deeply rooted in the architecture and design of the software itself. A fundamental shift in how WordPress is built and maintained could be necessary to address these vulnerabilities effectively.
The findings from our project were quite shocking. As we continue to analyze the data, we have already sent notices to the owners of compromised sites, urging them to investigate and rectify the issues.
This study underscores the critical need for proactive measures and regular maintenance to ensure the integrity and security of websites. By staying vigilant and adopting best practices, website owners can significantly reduce the risk of compromise and protect their visitors from potential harm.
We are currently in the process of analyzing all the collected data. As our analysis progresses, we will publish follow-up reports to share any significant discoveries and insights we uncover.
