Among the most common types of internet attacks is web defacement, where an attacker changes a victim's website to post a message. How are web defacements conducted and are there common trends? Those are some of the questions that a new study released on Jan. 22 by Trend Micro examines.
The 64-page report analyzed data from 13 million website defacements that occurred over an 18-year period from 1998 to 2016. The data was aggregated by Trend Micro from five data sources using machine learning technology to correlate and identify long-term trends as well as threat groups.
"Based on the available evidence, Trend Micro can confidently group various defacements into operations and threat actors," Mark Nunnikhoven, vice president of cloud research, told eWEEK. "Defacements are an outlier within the cybercrime world, as most groups responsible are quick to claim responsibility and state their motivations."
According to Trend Micro’s research, the majority of website defacements occurred on sites using the open-source Apache web server running on the Linux operating system. The preponderance of Linux and Apache is not a function of any particular vulnerability present in those systems.
"The fact that the majority of defaced sites were running Apache on Linux is a function of the market share of that combination in most hosting platforms," Nunnikhoven said.
Looking at the specific mechanics of web defacements, Trend Micro's study found that attackers are using common attack vectors, including SQL injection and password stealing, to gain access to victim websites. According to the report, the most common attack vector used in web defacements were file inclusion vulnerabilities.
"Manipulating PHP code to include a specific file and gain a foothold on the web host was a very common and simple attack to execute," Nunnikhoven said.
Nunnikhoven added the timeline of the Trend Micro report covers the height of PHP framework popularity, which provided a large target base for file inclusion attacks.
According to Trend Micro's researchers, some website defacer attackers look for "low-hanging fruit" to perform mass defacement attacks. In such campaigns, attackers often automate their attacks once they find a vulnerable platform and quickly sweep the web for the same targets. The researchers added that a lot of mass defacers use the Metasploit penetration testing framework, with some groups creating custom scripts, based on Metasploit or other hacking tools, to fit their operational needs.
While some defacement attacks are simply about getting across a political message, the Trend Micro researchers found an increasing trend of defacements that also include malware. While, defacements that occurred in the early 2000s typically had no malware inclusions, the researchers noted that nearly 15 percent of web defacements in more recent years included a malware component.
What Should Users Do?
While website defacements are an all too common occurrence, there are several things that organizations can do to mitigate risk.
"Patching is absolutely the most effective technique that site owners can use," Nunnikhoven said. "Additionally, site owners should protect their access credentials, have a strong, automated backup process and regularly scan their sites for unauthorized changes."
Many of the defacements identified by Trend Micro were driven by politically motivated hactivist groups. Political sites are often the top way organizations get their message out, which is what makes them tempting targets for hacktivists and cyber-criminals, Nunnikhoven said.
"Organizations should take every reasonable step to protect themselves against these threats," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.