Advisory 6

TLP Rating: White

Website Defacement

CERT Vanuatu and the Office of the Chief Information Officer (OGCIO) provides the following advisory.
This is to advise all Web host users, managers and business houses in Vanuatu that there have been cases of website defacement identified by CERT Vanuatu. The website defacer calls themselves as “Phenix-TN & Mr. Anderson” as shown below in Figure 1:

 

 

Figure 1: Website Defacement - Hacked by Phenix-TN & Mr. Anderson
 

 

What Happened?

Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. It is similar to drawing graffiti on a wall, only it happens virtually as a kind of electronic graffiti and is a form of vandalism. Websites’ appearance change – pictures and/or words are scrawled across the defaced website.

These are typically the work of defacers (Security hackers), who break into a web server and replace the hosted website with one of their own. Attackers may have different motivations when they deface a website. Political motivation is one, which is often used to spread messages by “cyber protesters” or hacktivists.

Other attackers may choose to deface a website for fun – to mock site owners by finding website vulnerabilities and exploiting these to deface a website. The most common method of defacement is using SQL Injections to log on to administrator accounts. Although website defacement is harmless, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware or deleting essential files from the server.

In both cases, website owners face damages to their business and reputation once their sites are defaced.

Does It Affect Organisations and Users?

Consequences of website defacement can vary. It is also a scary thought to know that your website is vulnerable to online threats. Here are some consequences a company may face after its website has been attacked.

  • Potential Data breach Because web defacement is naturally noticeable, some hackers use them as a form of diversion. With everyone’s attention focused on the defacement, these hackers could then carry out more sinister activities without getting detected immediately. For instance, they could steal sensitive information, install malware, and perform privilege escalation or carry out other nefarious acts.
  • Losing Customers Your visitors may be redirected to sites teeming with malicious code. They might be prompted to download malware onto their system or it downloads itself, undetected. In such cases, your regular and new visitors may be concerned about visiting your page in the future and you can potentially lose customers.
  • Impact on PageRank and Traffic Search engines rank your website according to a number of different factors. A higher ranking website comes up first in the results of a search query. If your defaced website is flagged or identified as causing harm to its users, a search engine such as Google might add you to its blacklist. This means that you can lose up to 95% of website traffic that could be gained from Google search results.
  • Effect on Brand Image Internet users worry about safety during their online experiences. If they feel you have failed to establish security measures on your website, they automatically conclude that you are either completely negligent in securing your website or are extremely ignorant about information security challenges and threads. Such conclusions can be devastating for your image as a corporation.

Mitigation Process

  1. Security audits and penetration testing: The hackers often try to exploit vulnerabilities that are not patched properly. This is one of the known vulnerabilities: use of open ports to connect to the server without logging on, execute malicious code over an open legitimate connection, using a buffer overflow to import malicious code that executes in the security context of the system on the server. Regular audit and penetration testing are helpful in evaluating the security of an IT infrastructure (operating systems, service and application flaws, improper configurations, or risky end-user behaviour) and better protecting the system.
  2. Defend yourself against SQL injection attacks: SQL injection attacks involve the use of SQL statements inserted into data entry fields in order to affect the execution of predefined SQL statements. With the modified SQL statements, attackers may be able to tamper with existing data, destroy data in the system, or even extract the entire database of the system.
  3. Defend yourself against Cross-site Scripting (XSS) attacks: Cross site scripting is when an attacker tries to pass scripting code into a web form to attempt to run unauthorized code on the website. It allows attackers to embed scripting code in the webpage that can perform a variety of unauthorized actions including: changing the appearance of the webpage, stealing session cookies of other users of the website or even as a means to form XSS attacks on other websites.
  4. Use defacement monitoring and detection tools: The effects of web attacks are leaving companies with a short time to react and perform damage control after an incident. Defacement monitoring and detection tools are one of the best solutions to monitor any defacement or unauthorized integrity change in the websites. These are some of the most used monitoring and detection tools: Banff Cyber’s WebOrion Defacement Monitor, Site24x7 and Nagios. Careful evaluation and configuration of the tools to detect both full and partial defacements involving HTML as well as linked images, scripts and stylesheets are important to ensure an effective tool is in place.
  5. Prepare to respond to defacement incidents: What do we do when our website is defaced? A good detection tool only tells you when your website is defaced but not the action that is to be taken. It is therefore important to put in place a set of incident response procedures, and ensure that you have the right personnel to respond to a web defacement. The technical response team will likely involve the security manager, web masters’/web developers and the web server team. It may also be important to have corporate communications prepare a public message to preserve the web reputation of the company.
    In addition, companies can either prepare a maintenance page. The Restorer is able to create a secured replica of the website that does not contain similar vulnerabilities to the defaced server. The restorer allows continued web presence for the organization while the main webserver is being looked at. In short, make an action plan for handling the restoration process that will shorten the time for recovery. If web defacement happens, the WebOrion Restorer will assist with the recovery, reducing the loss of data, time and money for the organisation.

How do I Stay Safe?

Here are the general minimal tips and advice from CERT Vanuatu as precaution steps:

  1. Do not click on any email attachment or links provided in emails, social media platforms or websites that you are not familiar with.
  2. Apply security updates and patches and stay up to date with the latest system versions.
  3. Report the incident to CERT Vanuatu on This email address is being protected from spambots. You need JavaScript enabled to view it.
  4. Share the advisory and precaution steps among users in your organization and communities for awareness purposes.
  5. For more information and safety and awareness tips, see Online Advisories and Alerts.

Best advice:
Website defacement can result in damage to a site’s reputation, loss of valuable information and user privacy, loss of money and loss of time. Hence it needs to be prevented before it happens. To conclude, keep these tips:

  1. Keep software up to date
  2. Watch out for SQL injection
  3. Protect against XSS attacks
  4. Beware of error messages
  5. Validate on both the browser and the server side
  6. Check your passwords
  7. Avoid file uploads by users
  8. User HTTPS
  9. Get website security tools

Finally, prepare a backup copy that can be used in the event that a defacement occurs, and install monitoring service from companies that have expertise in the area, so that a defacement can be detected and restored quickly to reduce any incurred losses.

  1. Download advisory (English): Email Scam Alerts - Advisory
  2. Download advisory (French): Défacement
  3. Download advisory (Bislama): Websaet Atak