How did SiteGround detect
Posted: Wed Dec 18, 2024 6:49 am
In mid-June we launched our updated Site Scanner service . Little did we know then that we would soon see the new functionality in full action. Just a few months after the update, Site Scanner saved thousands of WordPress sites from a well-disguised attack, aiming to redirect traffic to fake sites via a rogue plugin, called Zend Fonts. Imagine all the damage to reputation and other business that an attack like this could have caused and read how our hero Site Scanner saved the day.
How does the “Fake Zend Plugin” work?
The attack involved uploading an infected fake plugin called Zend Fonts through a backdoor. Once uploaded, the infected plugin redirected site visitors to fraudulent sites without the site owner suspecting it. The uploaded plugin file looks like this:
}
All of these factors make the attack virtually invisible to site owners/editors, while normal visitors would be redirected to fraudulent sites. This trick could easily result in significant sales losses, reputational damage, and other harms such as poor search engine rankings and more.
the attack?Our system administrators monitor the load and behavior of our servers 24h a day and shortly after this exploit was released, we observed an abnormally high number of malicious files detected by our Site Scanner service for malware. Our system administrators started to investigate further and detected a pattern: there was an attempted mass upload of Zend Fonts plugins that affected around 2000 of our clients' WordPress installations at the time.
How does Site Scanner protect sites on its own?
Typically, in attacks like the one on Zend Fonts, for sites with Site Scanner Basic, reports are received in less than 24 hours after the malware is detected (right after the scheduled daily scan) and for those with Site Scanner Premium, an alert is received immediately after the upload attempt, giving our customers the opportunity to react quickly and remove the malicious files before they can cause any damage.
Additionally, for sites with Site Scanner Premium where quarantine is enabled , the files never reach the attacked sites. They are safely quarantined for site owners to review and delete when convenient. Quarantine effectively stops the attack and protects sites from malicious hacking attempts, and the resulting business and reputational impact from them. And the best part: site owners don't have to do anything.
Using Site Scanner data to protect all customers
Once our system administrators detected that the Zend Fonts plugin loading italy whatsapp number data was not a one-time occurrence, but was happening platform-wide, they removed all malicious files from our servers. Additionally, our security engineers added a new rule to our Web Application Firewall (WAF) to prevent future attacks towards other WordPress sites hosted with us.
We’re really excited to see how our Site Scanner service is actively protecting sites from a variety of really bad attacks. For massive, large-scale attacks, like the Zend Fonts plugin, Site Scanner helps us spot a pattern and take action to protect all of our customers by implementing WAF rules or improving our monitoring system. While this is something we’ll continue to do, updating a platform-wide system takes a while and won’t include smaller, site-specific malware attacks. If you want to have early and comprehensive malware detection for your site, we recommend activating one of our Site Scanner plans. And if you’re looking to not only detect malware attacks but also proactively stop them, get the Premium Site Scanner with Quarantine enabled.
To celebrate the success of Site Scanner, this #CyberSecurityMonth we are offering 3 months free for any new activation of Site Scanner (both Basic and Premium) until the end of October.
Author avatar
Daniel Kanchev
How does the “Fake Zend Plugin” work?
The attack involved uploading an infected fake plugin called Zend Fonts through a backdoor. Once uploaded, the infected plugin redirected site visitors to fraudulent sites without the site owner suspecting it. The uploaded plugin file looks like this:
}
All of these factors make the attack virtually invisible to site owners/editors, while normal visitors would be redirected to fraudulent sites. This trick could easily result in significant sales losses, reputational damage, and other harms such as poor search engine rankings and more.
the attack?Our system administrators monitor the load and behavior of our servers 24h a day and shortly after this exploit was released, we observed an abnormally high number of malicious files detected by our Site Scanner service for malware. Our system administrators started to investigate further and detected a pattern: there was an attempted mass upload of Zend Fonts plugins that affected around 2000 of our clients' WordPress installations at the time.
How does Site Scanner protect sites on its own?
Typically, in attacks like the one on Zend Fonts, for sites with Site Scanner Basic, reports are received in less than 24 hours after the malware is detected (right after the scheduled daily scan) and for those with Site Scanner Premium, an alert is received immediately after the upload attempt, giving our customers the opportunity to react quickly and remove the malicious files before they can cause any damage.
Additionally, for sites with Site Scanner Premium where quarantine is enabled , the files never reach the attacked sites. They are safely quarantined for site owners to review and delete when convenient. Quarantine effectively stops the attack and protects sites from malicious hacking attempts, and the resulting business and reputational impact from them. And the best part: site owners don't have to do anything.
Using Site Scanner data to protect all customers
Once our system administrators detected that the Zend Fonts plugin loading italy whatsapp number data was not a one-time occurrence, but was happening platform-wide, they removed all malicious files from our servers. Additionally, our security engineers added a new rule to our Web Application Firewall (WAF) to prevent future attacks towards other WordPress sites hosted with us.
We’re really excited to see how our Site Scanner service is actively protecting sites from a variety of really bad attacks. For massive, large-scale attacks, like the Zend Fonts plugin, Site Scanner helps us spot a pattern and take action to protect all of our customers by implementing WAF rules or improving our monitoring system. While this is something we’ll continue to do, updating a platform-wide system takes a while and won’t include smaller, site-specific malware attacks. If you want to have early and comprehensive malware detection for your site, we recommend activating one of our Site Scanner plans. And if you’re looking to not only detect malware attacks but also proactively stop them, get the Premium Site Scanner with Quarantine enabled.
To celebrate the success of Site Scanner, this #CyberSecurityMonth we are offering 3 months free for any new activation of Site Scanner (both Basic and Premium) until the end of October.
Author avatar
Daniel Kanchev