- Security News
- Cyber Attacks
- Digital Vandals: Exploring the Methods and Motivations behind Web Defacement and Hacktivism
View A Deep Dive into Web Defacement
Activists have traditionally used physical signs and catchy slogans to promote their agenda, but many have since moved online to reach a significantly broader audience. Some of these online vandals subvert and deface websites to push a specific message, and others put forward political ideas in an act generally known as “hacktivism”. Our study shows samples of these web defacements that date as far back as 1998, most of which were triggered by specific political events, targeting a variety of different websites.
We saw powerful geopolitical events triggering these web defacements and how political beliefs and the defacers' religious inclination factor into the attacks. The defacers use different methods of hacking to compromise websites—from exploiting file inclusion vulnerabilities to simply stealing passwords from the administrator. We analyzed 13 million website defacements collected from five independent data sources to gain deeper insight into these actors and their methods.
The data we analyzed was aggregated from reports submitted to various defacement archives by the defacers themselves, along with shared initiatives, CERTs, and even data on the victims. It was collected over multiple countries, from 1998 to 2016. In terms of targets, this overview shows the different systems and servers that defacers targeted the most.
The metadata (which we cannot validate) the defacers voluntarily provided show that attackers leverage a wide range of vulnerabilities to compromise websites, listing over 30 different methods. Attackers typically compromised sites through common vulnerabilities such as local file inclusion, SQL injection and password guessing. Some other notable methods mentioned include server intrusion attacks, social engineering, URL poisoning, and the use of man-in-the-middle attacks to access credentials.
We also found that defacers voluntarily leave contact information on the defaced site, which is not typical of other cybercrimes. We found that they used email and Twitter as primary forms of advertisement, with 25% (email) and 8% (Twitter) of pages displaying at least one of these. In fact, 6% of the pages had multiple contact email addresses. It seemed like these hacking groups were promoting themselves along with their slogans and political messages.
The addition of streaming media left on websites is another interesting aspect of propaganda-driven attacks, usually in the form of visual aspects or songs playing in the background. We found that 32% of the defacements had embedded a URL referencing either a streaming service provider (like YouTube) or an audio file hosted on an external resource.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.