Imagine you open your company’s website one day only to find a scary image of a skull, monster, and such, instead of the organization’s normal content. At first you will be scared and embarrassed at the same time, not believing what you have just seen. It gets worse if you are the website administrator.
What just happened to the website and who did it? Well, what just happened is that the website got defaced and hackers did it. What is this about and why has it been directed at your company? All these questions will ring in your mind as you try to come to terms with the mess.
Let’s understand this attack in detail and what to do.
Meanwhile if you are an IT professional in charge of managing client websites, you need to be careful because you could potentially be liable for such attacks like website defacement. Learn more about cyber attack liability for IT professionals. Closely related to this is cybersecurity insurance.
What is website defacement?
Website defacement is a form of website vandalism where attackers find a vulnerability that allows them to get into the website’s backend. Once in, they modify the contents of the website and make it entirely different, often replacing some parts of the content or the entire content with their own as they wish.
Imagine someone coming and drawing some graffiti on the walls of your immaculately painted house. Now imagine the same kind of scenario on your website. It means that for example, all the text and images will be distorted or not appear at all. In its place, the attacker may put weird graphics and unreadable text, images or videos that are completely unrelated to the business.
Unlike most other forms of cyber attacks where the attackers are keen to make some gains or destroy your digital assets completely, the attackers behind website defacement are driven by the urge to pass a message. The motive really is to pass some message and embarrass the organization that owns the website. This is why it's common for defacement attacks to reveal the group behind the attack, and the motive.
For some reason, most hackers tend to use the same style of messaging to announce that the website has been hacked. So in addition to the embarrassing content, they are likely to leave such messages:
«Hacked by ……»
«Your website has been hacked by»
«YOU GOT HACKED»
Some hackers can post more detailed messaging, often bordering on jokes and mockery.
Something like this:
«Stay happy always, keep smiling, and you will be rewarded abundantly in future»
“I know you thought your website is secure but look at you know:)”
Others will leave their contacts so they can help you get back to normal. Something like this:
“I hacked your website to expose some vulnerabilities. Don’t panic. Just contact me via xxxxx@.....com. Trust me you can’t find the vulnerability by yourself so don't waste time trying to troubleshoot. Let’s save time, mate!”
Not even websites of powerful institutions are spared in the defacement arena! In 2010, for example, the website of the presidency of the European Union was defaced. The hackers replaced the image of the then EU president Mr. Jose Luis Rodriguez Zapatero with that of Mr. Bean actor Rowan Atkinson. In this embarrassing defacement, the attackers exploited a cross-site scripting vulnerability. Visitors to the website were met by a smiley face of Mr. Bean with the greeting «Hi there».
What motivates website defacement?
A person performing website defacement is basically an attacker motivated by some factors. It could be personal (i.e they have a score to settle with the owner of the website), ideological (i.e they are driven by a certain frame of the mind for example an urge to attack businesses as a show of rage towards profit making), political (i.e to discredit competitors), business competition (i.e to reduce the market share of a competitor), etc.
Let’s dig a little deeper into some of the common motivations:
Advertising
Believe it or not, some attackers will deface a website simply because they want to advertise their products or services.
And when you think about it deeply, you can clearly see the motivation. Think of a website that receives hundreds of thousands of visitors per day. Can you imagine the huge visibility the attacker's product/service can get even if the advertisement manages to run for one or two hours!
Hacktivism
These types of attackers are driven by the need to pursue a cause that is fundamental to them. However, in such cases, the cause would normally be extreme, for example religious fundamentalism or conspiracy theorists who want to push an agenda.
Civil disobedience
The motive here is to punish authorities, mostly governments. In these cases, the defacement would be targeted at government web assets like the website of a ministry or some authority, etc.
Political
The attackers want to amplify a political opinion. A good example is when the campaign website of former president of the United States Donald Trump was defaced by people who simply did not agree with him.
Hooliganism
The attackers are probably hired by an entity that considers itself an enemy of the organization. They simply want to bring the business down and in the age of technology, a website is a key target to achieve this nefarious goal.
More motives include:
Awareness: The hackers want to raise awareness of the site's vulnerabilities so that the owners can take note and take steps to step up security
Extortion: Attackers may want monetary reward
The motive is not always negative, though. Some attackers carry out website defacements simply because they want to get a kick out of it. They just want to have fun by basking in the glory of having found loopholes in websites that owners thought were super secure. The drive here is to mock the website owners. See, I found a vulnerability on your website. How come you didn't see it?
Some companies have even had cases where their own website administrators deface the very websites they manage as a form of protest against something they do not like in their place of work.
Website defacement attack damage
The most immediate repercussion of website defacement is reputational damage. As soon as users come to the website and find that it's been defaced, they begin to have mixed feelings about the organization.
The automatic feeling is that the organization is not serious. Because not many users possess technical expertise, very few will understand that defacement can happen even to the most secure websites. It only takes one key vulnerability and the hackers will have their way.
Once defacement happens, these are the consequences that befall the victim organizations:
Loss of customer trust
The customers who interact with your business through the website will be shocked to come and find strange content on the site. Think about what will go through their mind.
The defacement will scare them, and the majority are going to get worried about their own safety in terms of personal and financial data. They will think the company is not committed to the security of their data. They will start to have a different image of the organization, starkly different from the confidence they used to have.
Employee morale will be dented
Perhaps apart from the technology team who understand that anything can happen, the rest of the employees and stakeholders may find it awkward that the company's website has been defaced.They have pride in the company that they work for, they stand tall among their friends who know where they work, plus family.
With the defacement, they will doubt the company's focus on maintaining a clean image. This may lead to some being ashamed when handling customers. They will be like, «What will the customers think of this company». This feeling will definitely dent employee morale.
The website could get blacklisted by search engines
If you depend on search engines like Google and Bing to drive traffic to your website, they might blacklist your website if it remains defaced for long. This will mean that the website may never receive organic traffic for a long time to come. It’s because of this danger that we advise you to respond immediately when you encounter a defacement and get the website back to normal soonest. The longer the defacement message remains on the website, the more the risk of getting blacklisted.
If you are not able to reverse the defacement immediately, we advise taking the website offline completely as you work behind the scenes to get things back to normal. In the meantime you can display a maintenance message and promise users that you will be back online in the shortest time possible.
Revenue loss
If your organization generates its revenue directly from the defaced website, then you are definitely going to lose revenue during the duration the website remains defaced and offline as you undo the damage.
This is typical for eCommerce websites that handle real-time transactions, service websites where customers pay to access some services, apps and websites that generate revenue through advertisements, etc.
Besides the immediate revenue loss, you will also suffer long term revenue loss as a result of the customers or potential customers who may never again want to buy from your organization due to reputational damage.
Reversal work
After you discover the defacement, your technical team or managed IT service provider is going to embark on some rigorous clean up job to reverse the defacement and bring the site back to normal. Depending on the extent of the damage, it could mean taking the entire site offline during this period, or some sections of the website.
During this period, you are going to have to communicate to users (customers), explaining what happened and when the website is likely to be back online. You will also need to carry out a detailed explanation to employees.
Depending on the extent of the defacement, this might be a lot of work and would probably cost you significant resources.
Methods criminals use for website defacement
These are the most common methods that hackers are using to deface websites:
SQL injections
The attackers insert malicious SQL codes in a website. To do this, they need to find a vulnerability that will let them into the website.
CMS vulnerabilities
Content management systems such as Wordpress can have vulnerabilities which attackers can use to deface a website that is created using such platforms.
Web servers
This is a very deeply invasive method as it means the attacker has access to the server. They need to have possession of the credentials. Mostly, this method is exploited by people within the organization or those who work with the organization for example contractors. It also happens when attackers manage to steal credentials through means like data breaches. This is why strong access management measures are critical.
Third-party plugins
Many websites rely on plugins to get several things done. Unfortunately these plugins can be an easy entry for hackers who want to deface a website.
Preventing website defacement
Like with all other types of attacks, there is so much you can do to avoid the embarrassment of website defacement.
Ensure the source code is secure
Those who have interacted with the source code at some point can use it to deface the website.
The most prominent example is ex-employees. Employees who leave the company with unsettled grievances. If such employees happen to have access to the source code, it's easy to deface it. You can prevent this easily by revoking the access rights of all employees who leave the company. This procedure should be part of the company’s larger security policy.
Protect the database
Once attackers gain entry to databases, all they need to do is replace the contents there and their mission is accomplished.
Always ensure you have a backup in place. This will make it easy to get back online quickly
Have a strong password system, which includes securely storing the passwords and ensuring that employees use strong passwords that cannot be guessed easily
Constantly look out for vulnerabilities within the website and in servers
Keep a comprehensive log system so it's always easy to see any changes that have been made and by who
Only authorized users should have access, and access levels should be clearly defined.
Apply the least privilege approach
Grant users just enough privilege to do their work. In other words you should not grant the same level of privileges to everyone. Some of these privileges can be misused or be compromised by malicious outsiders.
Deploy a web application firewall
Firewalls can do an amazing job of blocking malicious bots and safeguarding admin pages from unauthorized access. They are also good at patching vulnerabilities on websites. The firewall acts as a secure barrier between the jungle that is the internet and the website.
Keep all themes and plugins updated, get rid of those you don't use
It’s possible that your website uses multiple plugins and themes. It’s also a reality that many admins often forget to update these resources, exposing their websites to easy exploitation by hackers.
The reason admins forget to update these resources is because most plugins and themes can continue to function even when they are not updated. But you need to know that when you fail to update, it means that you are essentially using a resource that is simply not supported. Not being supported means for example the plugin or theme is not secure, and any basic hacker can use it as an entry point to deface the website.
How to resolve website defacement
Recovering from website defacement is not difficult if you have been keeping regular backups of the website. You will simply go to the backup, restore the most recent version, and that is it.
But sometimes backups can bring issues, or as is the case for many website owners, you may have forgotten to do regular backup.
Be it as it may, follow this general procedure to help you recover from the defacement ASAP:
1. Take the website to maintenance mode
With maintenance mode, the visitors will be notified that the website is currently under maintenance window as you make important updates and that you will be back online shortly.
Apart from the visitors who may have seen the hack message early, the subsequent visits will be met by the maintenance message. The maintenance message helps to do some damage control, giving you time to clean up the mess and get things back to normal.
2. Review the website defacement attack and remove the malware
You want to find out what really happened by scanning the files for malware. The idea here is to find out if the hackers injected some malicious code to the site or they simply replaced your content with their content.
There are many methods you can use to scan your website for malware, including :
Use FTP to check for malware in the website files
Scan the database with antivirus software
Use a URL scanner
Check for suspicious code in iframe attributes and script attributes
Use automatic malware scanners such as SiteLock, SUCURI, Criminal IP, Quttera, etc
Please note that we do not recommend manual malware removal for the simple reason that it is very difficult hence time consuming, and worst of all it’s not as effective as the modern automated methods. You may think you have removed all the malware when in reality you just scratched the surface.
3. Post-hack actions
Now that the website is back online, you want to take some time to dig deeper and ensure the chances of a repeat defacement are negligible. Perform these key activities as part of your post-hack analysis:
Change password credentials across FTB accounts, and hosting accounts. Ensure the passwords are very strong. As usual, avoid easy passwords like those that contain names or sequential numbers e.g 123456.
Review users and privileges: It's possible that the defacement was done by an unauthorized user. The hackers are also capable of creating their own accounts. So check for any unauthorized accounts and delete them. The simplest way to establish this is from the login history.
Again, recheck malware and vulnerabilities
Communicate to customers, employees, and all other stakeholders about what happened and the steps you have taken to fix the problem
Deploy a reliable and easy to restore backup solution. We have come across many backup systems that fail to restore or take too long to restore.
Implement multi-factor authentication to the login procedures.
Learn the different types of backups and best practices for data loss prevention. You may also want to consider Backup as a Service if you are not well resourced to run a comprehensive backup program in-house.
Conclusion
Cybersecurity experts will tell you it's not possible to achieve perfection in security. This is fact!
Hackers can bring down even the most secured digital assets belonging to extremely well-resourced organizations, even governments. So you really do not have to over-agonize when defacement strikes your website. This is especially true when you know that you already invested in all measures that you could and maintained constant vigilance.
Should defacement strike your company’s website even when you have done everything to ensure it never happens, you simply focus on bringing the site back to normal within the shortest time possible. But if it happens because your security was lax, then you have a double job: To bring the site back into operation and to go back to the drawing board to make fundamental changes in your security measures. There is also the cost of regret, where you “punish” yourself for not having done enough.
Finally, security is an ever evolving series of activities that requires those in charge to stay on top of the game. They snooze, the company loses. The attackers are waiting for that moment of snooze, so avoid it. But even more important is how you respond after the defacement strikes. Here, measures like backup and disaster recovery tools become critical. Excellent preparation to detect and act promptly will win, any day.
If you feel overwhelmed by the defacement, you can always seek the services of a cybersecurity company to help you recover smoothly.
