Why sucuri.net does NOT work (and other scanners as well)
Why sucuri.net and other scanning software / websites are useless and why they might even be dangerous? Because your website may still have malware or spam injected and you may think you are virus or malware free and the opposite is true. You might be providing the dark net with new emails to spam or even credit card data stolen from your customers and not even know it.
I did a case study where both sucuri.net and google diagnostic did NOT throw up any warning about a website which had been infected with a spam injector. This is NOT uncommon. Many scanners do not scan every page and every link and even if they do they can still miss spam.
Why ANTI-Virus Scanning often doesn’t work…
New viruses and other types of malware are created every day (probably every second) and scanning for potential threats depends on the software that is doing the scanning knowing about the evil script already or at least knowing how the baddie might go about doing it.
So to really be effective the Anti-virus people have to already KNOW about the virus. They have to lurk in the shadows, maybe hang out in forums where the hacker is bragging about his newest accomplishment and get the details. I am not kidding, anti-virus companies actually hire people for this and there has often been accusations that these companies actually pay the creators of the bad stuff to give them copies or to create naughty stuff for them.
Obviously you can see how this approach might not work. What about the hacker who is so busy making malware, he doesn’t have time to brag? What if the malware is hidden and users do not notice there is something bad in there. What if the hacker is spying and being clever enough not to do anything obvious, just waiting for the moment to score big.
Let me give an example in a slightly different but similar area… bank accounts.
My husband used to be one of those guys who barely looked at their own bank account. As long as the balance seemed close to what he thought it was, he didn’t really examine the details. I am a bit pedantic and usually go over every account and bill with a fine toothed comb. It is scary how many “mistakes” I find. Oyster cards are the worst and over charged users over £60 million in 2013
He bumbled along quite happily until one day his debit card was declined because a sale for first class airline tickets totalling almost three thousand had been approved for his card, though the purchase was in America while he was here in London.
I asked him, “if they could do that, what else could they have done?” and proceeded to go over previous bank statements with him. It turned out that “they”, whoever “they” were, had been taking out small amounts for over 6 months before they decided to try their luck with this particular purchase. Starting off very small and getting bigger and bolder let them know that someone wasn’t watching and that gave them all the info they needed.
This does not just happen with bank accounts, it is very common with computers, phones, and of course websites. There are literally millions of computer infected that work as Zombies for underworld organisations or individuals with no good intentions.
So if you are a smart hacker, you only have to lie low and write good code that doesn’t throw up too many bugs so users don’t suspect anything. Then you can do all sorts of things:
- Steal data of members or users
- Use the website to send spam emails
- Use it to attack other websites
- Download malware onto your website users computer to log keyboard strokes to get passwords or even tap into the built-in webcam on your laptop to take videos without you knowing
Now does this mean you don’t scan your website? Of course not, you would be mad not to at least check but don’t depend on the information that you are virus free to be correct. Take every precaution possible to protect yourself starting with making your password difficult to hack. Think you have a hard one? Now read this article
Most hacker crack passwords but others find vulnerabilities in popular platforms, plugins and servers. The best way to do this is to NOT use free hosting or cheap hosting. How can they afford the right security? They can’t. But getting better hosting means nothing if you are not updating your site regularly as well. If you are serious about your business and have not updated your site in 6 months, then you are not really serious about your business. Getting a professional to manage your website is the best answer. You can never be too paranoid about security.