Monday, June 13, 2022
HomeBusiness2021 Sucuri Hacked Web site Report

2021 Sucuri Hacked Web site Report

Analysis from Sucuri

Editor’s observe: This submit initially appeared April 28, 2022 on the Sucuri weblog.

Our 2021 Web site Risk Analysis Report particulars our findings and evaluation of rising and ongoing traits and threats within the web site safety panorama. We’ve put collectively this evaluation to assist preserve web site house owners knowledgeable and conscious of the hazards posed by malicious actors.

This 12 months’s report is a set of observations made by Sucuri’s Analysis and Remediation groups from knowledge collected on web-based malware, weak software program, and assaults throughout 2021.

Obtain Full Report

The info used on this report is a consultant pattern of the whole variety of web sites that our Remediation group carried out companies for all year long 2021, in addition to greater than 132 million SiteCheck scans. This knowledge displays the environments of our purchasers and never the online as a complete.

This was an ideal mission to work on and we uncovered a whole lot of attention-grabbing knowledge, notably with observing traits in bank card skimming malware and WordPress. Some traits from earlier years continued whereas some recent ones emerged.

Our hacked web site report incorporates a whole lot of new knowledge, together with sections on rising malware to assist us analyze and perceive traits within the risk panorama. We additionally present an evaluation of probably the most extreme and customary software program vulnerabilities current inside the WordPress ecosystem throughout 2021.

Key takeaways

  • Weak plugins and extensions account for a lot extra web site compromises than out-of-date, core CMS information.
    Web sites containing a lately weak plugin or different extension are almost definitely to be caught up in malware campaigns.
  • Default configurations of well-liked web site software program purposes stay a severe legal responsibility.
    By default, WordPress administrator panels include no multi-factor authentication, nor a restrict on failed login makes an attempt.
  • Accountable disclosure and proactive safety monitoring is vital to sustaining a protected net.
    Some main catastrophes have been prevented in 2021. Main plugins with hundreds of thousands of installations had vulnerabilities patched with only a few incidents, as a consequence of proactive safety monitoring, patching, and distinctive communication with the general public.
  • Bank card skimming is on the rise, particularly for WordPress.
    Hacker teams are actively creating and customizing their malware. Every variation is distributed to a small variety of websites, however the general variety of affected websites is critical.
  • website positioning spam continues to be a menace.
    52.6% of remediated web sites contained some type of website positioning spam in 2021. Spam additionally accounted for 34.45% of contaminated SiteCheck detections.
  • Backdoors and malicious admin customers stay the spine of many compromises.
    Backdoors are extraordinarily widespread, with 60.04% of contaminated environments containing a minimum of one web site backdoor.
  • Web site reinfections stay widespread.
    An internet site compromise is usually a depressing expertise. Web site house owners are sometimes averse to taking all the required post-infection steps, but when measures aren’t taken the attackers are prone to return.
  • Malware tends to concentrate on both high quality or amount.
    The objective of spam and redirect malware is to compromise as many web sites as potential, within the shortest time interval potential, to have an effect on as many customers as potential. They don’t care about staying hidden. Malware that compromises bank card particulars is the other: They attempt to have a small, very effectively hidden payload to remain current so long as potential to be able to steal as many card numbers as they will.
  • Cryptomining assaults are now not quite common.
    Cryptomining has largely moved away from web site and server environments, focusing as an alternative on devoted {hardware} “farms”.

Software program distribution

Based mostly on our knowledge, the next graph illustrates the utilization of various CMS platforms amongst our shopper base.

These knowledge units point out that WordPress continues to be the most well-liked CMS amongst our person base, accounting for 95.62% of purchasers in 2021. As seen in previous years, Joomla (2.03%) adopted in second place with Drupal (0.82%) taking third.

Weak software program and elements

Out-of-date CMS

The share of internet sites that had an out-of-date CMS on the time of an infection was roughly equal.

Our knowledge means that out-of-date CMS solely roughly correlates to an infection, and factors to the utilization of weak plugins and themes in addition to unsecured admin panels to be of better significance when it comes to safety danger.

The presence of out-of-date CMS might not essentially be the assault vector itself however relatively a symptom of a scarcity of upkeep of the setting.

Out-of-date CMS distribution

Out of all the web sites submitted for malware cleanup, WordPress and ModX have been by far probably the most effectively maintained on the level of an infection.

Prime malware infections

To determine the most typical malware varieties seen on compromised web sites in 2021, our group aggregated and analyzed the information from malware signatures detected and cleaned throughout Incident Response.

Why is there a proportion overlap?

Our groups usually discover a number of forms of malware on a compromised web site. For instance, attackers would possibly infect a web site with spam and plant a web site backdoor on a web site to take care of entry to the setting.


In 2021, 61.65% of remediated web sites have been flagged with the malware class. Malware is a really broad class which frequently consists of code designed to redirect web site guests to rip-off and different malicious web sites or steal login credentials. It sometimes engages in some sort of malicious motion in opposition to web site guests, in distinction to backdoors and hack instruments that facilitate hacker actions or spam that goals to extend website positioning rankings to 3rd occasion websites.

The highest ten most typical malware varieties we cleaned have been as follows:


Backdoors have been one of the vital widespread threats discovered on compromised web sites in 2021, with 60.04% of all contaminated websites containing a minimum of one backdoor.

An vital instrument for attackers, our analysts sometimes discover backdoors alongside many different forms of malware. This malware bypasses common entry channels, granting attackers full entry to the web site backend. As soon as put in, a backdoor can be utilized to take care of entry to the compromised setting lengthy after the an infection has occurred, making it straightforward for the attacker to reinfect the location after the payload is eliminated.

We analyzed the several types of backdoors we detected and cleaned in 2021 and located the next distribution.

  • Uploader
    A kind of backdoor which permits the attackers to add information to the sufferer setting.
  • Webshell
    These backdoors enable the attackers full entry to the web site file system.
  • RCE
    The backdoor will try and execute the command issued by the attackers.

Bank card skimmers

Bank card skimmers have elevated considerably from earlier years and the conduct has change into extra focused. A rising variety of bank card theft has been occurring on impartial web sites the place the shop has arrange their very own ecommerce web site.

Over 25% of all new PHP malware signatures generated in 2021 have been for bank card skimmers.

In 2021, SiteCheck detections discovered that 34.5% of internet sites contaminated with a bank card skimmer have been operating WordPress.

website positioning spam

website positioning spam nonetheless stays one of the vital widespread web site compromises, with 52.6% of remediated web sites containing website positioning spam. Infections sometimes happen by way of PHP, database injections, or .htaccess redirects.

website positioning assaults typically infect web sites with redirects and spam, referring web site guests to spam touchdown pages. These assaults can considerably impression rankings and natural site visitors from well-liked serps like Google, Bing, and Yahoo who block web sites with malicious content material.

Our evaluation revealed that 33.3% of website positioning spam infections have been spam doorways, which produce subsections of dynamic spam content material on a compromised web site. One other 32.2% of website positioning spam infections have been associated to spam injectors, accountable for peppering a compromised setting with hidden spam hyperlinks for website positioning functions.

Unsurprisingly, our evaluation revealed that the most typical website positioning spam themes and key phrases on compromised web sites included prescribed drugs like Viagra and Cialis.

Prime spam themes

  • Prescription drugs
  • Essay writing companies
  • Knockoff jerseys and different model identify merchandise
  • Escort companies
  • Grownup web sites
  • On-line casinos
  • Duplicate watches
  • Pirated software program

Left untreated, website positioning spam can significantly harm a web site’s fame and take a major time to recuperate. Web site house owners might expertise a loss in income, hijacked search outcomes, browser warnings, and even blocklisting.


Phishing has change into extra prevalent in recent times, with 7.39% of internet sites containing some type of phishing in 2021. By and huge what we see are reputable web sites hacked to host phishing content material. This distances the attacker from their payload and permits them to keep away from culpability and decrease their prices.

Phishing tends to focus on login credentials for cloud companies corresponding to Microsoft Workplace and Adobe, in addition to monetary establishments and well-liked companies corresponding to Netflix. Stolen passwords are additionally utilized in credential stuffing assaults.

Nearly all of phishing have been payloads (phishing touchdown pages) concentrating on all kinds of firms and companies. A big portion of attackers used ready-made, pre-built phishing kits and put in them onto their targets.

These kits include some key part components:

  • A payload touchdown web page
  • A mailer script to both ship the compromised knowledge to the attackers or to ship out phishing emails to victims
  • Code designed to stop serps from indexing the payload

SiteCheck and blocklist evaluation

Our SiteCheck instrument is considered one of our most vital web site safety monitoring instruments. It’s free to make use of and scans hundreds of thousands of internet sites per 12 months.

Since it’s an exterior monitoring instrument, it can not see infections that don’t show outwardly on web sites (corresponding to PHP backdoors). For a complete resolution, Sucuri purchasers have full entry to our server-side scanning and monitoring.

We queried the scans carried out on SiteCheck throughout 2021 to determine the traits seen for our distant safety scanner.

From the 132,374,781 scans carried out with SiteCheck in 2021, a whopping 10.38% of internet sites have been recognized as containing out-of-date software program and 4.34% have been recognized as contaminated. Of those contaminated web sites, 34.45% had been recognized as containing website positioning spam whereas lower than 1% have been web site defacements.

Blocklisted domains

Inside the high blocklisted sources, we discovered a variety of domains associated to the large WordPress marketing campaign our group has been monitoring for a number of years.

This marketing campaign largely goals to redirect customers to spam, malware and rip-off websites. Almost all the domains listed under have been current in siteurl/house database infections or in injections concentrating on wp_post content material in WordPress environments.

To dig a bit deeper, we analyzed the highest blocklisted sources for this ongoing marketing campaign.

One prevalent theme that differed from earlier years was the excessive prevalence of .ga (Gabon) and .tw (Taiwan) domains utilized in redirect campaigns. These top-level domains have change into very fashionable amongst attackers as a consequence of lack of lively regulation and area possession restrictions.


website positioning spam accounted for 34.45% of the contaminated web sites scanned with SiteCheck in 2021. Since this quantity was so vital, we dug a bit deeper to interrupt down the forms of spam discovered on these compromised environments.

Our evaluation of the highest ten website positioning spam signatures for SiteCheck revealed a number of prevalent themes.

Unsurprisingly, the most typical theme was associated to prescribed drugs with 28.03% of website positioning spam content material discovered to be associated to themes like Viagra and Cialis. This means that regardless of the lengthy authorized battles fought by pharmaceutical firms in opposition to spammers, knock-off medicine proceed to be an vital income for attackers.

A predominant variety of signatures have been additionally discovered regarding Japanese website positioning spam (22.13%). These ongoing website positioning Japanese Spam campaigns pollute sufferer’s web site search outcomes with knock-off designer items.


At its core, sustaining safety posture comes down to some core ideas: preserve your setting up to date and patched, use sturdy passwords, train the precept of least privilege, and leverage a net utility firewall WAF to filter malicious site visitors.

Take a look at the complete hacked web site report to get all the story on our 2021 analysis and remediation evaluation!



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments