Plugin prevalence on infected vs. normal WordPress sites

Our research team recently completed a study that examined the popularity of certain plugins on infected WordPress sites. This particular study didn't yield a statistical difference between plugin distributions on infected WordPress sites and the general population of WordPress installs. However, our team noted that a previous study of theirs (not for StopBadware) with data from other compromised websites did show a difference. In this prior study, they also found a statistically different distribution of plugin version than their control set. They believe more data would likely yield similar results. 

Credit: Marie Vasek, StopBadware's operations technologist, and our intern John Wadleigh (both SMU students). The dataset used in this study was comprised of 86,899 unique URLs, of which 3,254 contained at least one of the relevant plugins. A large part of this dataset comes from StopBadware's Data Sharing Program

DDoS targets in the Bitcoin ecosystem

Posted on February 27, 2014 by ccondon

StopBadware focuses on Web-based malware, but one of our strengths is that we work with a diverse community of security experts whose areas of expertise often extend beyond our own. Our friends and research contacts at SMU are presenting a paper at Financial Cryptography 2014's Bitcoin research workshop in Barbados next week; they'll be discussing empirical analysis of denial-of-service attacks in the Bitcoin ecosystem. 

They've made some interesting findings on changes in Bitcoin DDoS targets over time: "We find that 7% of all known operators have been DDoSed, but that currency exchanges, mining pools, gambling operators, eWallets, and financial services are much more likely to be attacked than other services." Currency exchanges and mining pools are also "much more likely to have DDoS protection such as CloudFlare, Incapsula, or Amazon Cloud." (Full paper here.)

Bitcoin DDoS targets over time

Research courtesy of Southern Methodist University's Marie Vasek (who doubles as StopBadware's operations technologist), Micah Thornton, and Dr. Tyler Moore. If you're attending FC '14, be sure to check out their talk next week! 

Why do users ignore malware warnings?

Posted on February 26, 2014 by ccondon

At StopBadware, it's important to us to measure how different parts of the Web are responding to malware. One of the ways we do this is to look at data about users who ignore malware warnings. For instance: what kinds of content do Web users most often insist are not malicious? 

The following is a breakdown of the top kinds of sites for which Firefox users clicked through "Reported attack site" warnings in 2013. 

Content for which Web users most often ignore malware warnings


(Note: There are about 30 sites included in this data. Percentages are not representative of all Firefox users who clicked through malware warnings last year—only users who clicked through warnings for the top sites that referred traffic to StopBadware.)

Background: Firefox's link to StopBadware is a two-step process: a user must click "Ignore" on a warning and then click a separate button on a toolbar Firefox displays at the top of websites blacklisted by Google. The toolbar button says, "This isn't an attack site." When clicked, it prompts Firefox to redirect those users to StopBadware's landing page

It's also worth noting that a number of the sites represented in this chart were later found to have been compromised via infected ad networks. This is one of the reasons malvertising is so insidious: it's one of the most common ways big, high-traffic sites are compromised...and users are much more likely to ignore warnings for popular sites with which they're familiar.