SiteCheck Website Malware Trends:Mid-Year 2023 Report


Conducting an external website scan for indicators of compromise is one of the easiest ways to  identify security issues.

While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications.

Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month.

In this report, we’ll be analyzing data from the first half of the year to identify the most common malware infections found by SiteCheck. We’ll also provide examples to help webmasters understand how to identify malware in their own environments.

Download Report

  • 📊 In the first half of 2023, SiteCheck scanned 54,743,804 websites, detecting 628,085 infected sites and 851,164 sites with blocklisted resources.
  • 🛡️ Injected malware and redirects were the most common infections, with SocGholish accounting for over 17.66% of injections.
  • 🧩 SocGholish is a significant malware strain, redirecting visitors to fake updates and serving as a first stage in ransomware attacks.
  • 👾 NDSW malware, a variant of SocGholish, was the most prevalent, injecting malicious scripts into every .js file on hacked websites.
  • 🔧 Balada Injector, another malware campaign, injected obfuscated scripts into legitimate .js files, redirecting visitors to scams and ads.
  • 🔒 SEO spam, affecting 267,416 websites, often includes unwanted keywords, spam content, and malicious redirects.
  • 👁️‍🗨️ Japanese spam was the most common SEO spam category, polluting search results with keywords for knock-off brands.
  • 💳 Credit card skimming malware, like MageCart, affected 4,614 websites, mainly through malicious JavaScript pretending to be Google Analytics.
  • 📣 Unwanted ads were found on 11,487 infected sites, often used to track user behavior and generate commissions.
  • 🖼️ Defacements, changing a website’s appearance, were found on 5,316 sites, typically done for political or destructive purposes.
  • 🚫 Blocklisted resources were detected on 113,679 sites, with domains from Balada Injector and SocGholish being most prevalent.
  • 🔐 Common hardening recommendations include implementing CSP, X-Frame-Options, WAF, Strict Transport Security, and redirecting to HTTPS.