Threat actors the world over have long been employing website defacement as a tactic to further their political, environmental, or even personal agenda. They essentially replace the content of target sites to display their messages through various means, including SQL injection, cross-site scripting (XSS), and other initial compromise techniques.

In 2018, for instance, the U.K. National Health Service (NHS) website that hosted patient data was defaced, causing citizens to worry that their personally identifiable information (PII) may have fallen into the attackers’ hands.

WhoisXML API threat researcher Dancho Danchev provided thousands of email addresses connected to several ongoing website defacement campaigns, which our research team then used to identify trends that could help cybersecurity teams up their defensive game. Our main findings revealed that:

• Close to 90% of the email address indicators of compromise (IoCs) used free services.
• The email address IoCs were distributed across service providers.
• The email address IoCs led to the discovery of 20,000+ possibly connected domains, some of which are already being detected as malware hosts or phishing sites by various malware engines.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download Danchev’s initial report and related threat research materials here.

Email Address IoC Trends

We began our investigation by collating 2,417 email addresses connected to currently ensuing website defacement campaigns from publicly accessible threat intelligence sources. Greater scrutiny revealed that 2,164 of these email addresses used free services, topped by Gmail. The chart below shows the distribution volume across service providers and email domains.

We then subjected the email address IoCs to a bulk email verification lookup and found that:

• Close to 90% used free services.
• Only around 3% didn’t pass the format or syntax check, the Domain Name System (DNS) check, or the mail exchanger (MX) service check, which could be linked to the fact that the majority of email addresses came from free services.
• More than half of the IoCs didn’t pass the Simple Mail Transfer Protocol (SMTP) check, which could suggest that the email addresses no longer had associated inboxes.
• Very few email addresses were disposable, which is surprising since this is a common cybercriminal tactic.

Take a look at the detailed bulk email verification lookup results below.

Potential Threat Artifacts Discovered

We uncovered 20,024 possibly connected domains since they shared the malicious registrant email addresses based on reverse WHOIS searches, such as:

• 05movie[.]com
• abercrombiesite[.]org
• bagipokemon[.]com
• campbellscashandcarry[.]com
• dhlna[.]cn
• elle-et-nails[.]fr
• facebook-hk[.]com
• google-analitlcs[.]com
• hpsupport247[.]com
• intel-i7-benchmark[.]com

A bulk malware check via the Threat Intelligence Platform showed that 47 of the possibly connected domains were dubbed either “malware hosts” or “phishing sites” by several malware engines. Examples are shown in the table below.

Organizations wary of having their websites defaced could watch out for domains that share characteristics with the malicious properties named above. They should also watch out for domains sporting the top top-level domain (TLD) extensions .com, .cn, .net, .us, .org, .icu, .fr, .site, .info, and .in.

Apart from steering clear of the close to 50 malicious domains identified in this post and other possibly connected web properties that share the registrant email addresses identified as IoCs or other characteristics mentioned in this post, organizations would also do well to employ anti-website defacement techniques like:

• Employing the least privilege principle
• Avoiding the use of default admin directories and email addresses
• Limiting the use of add-ons and plug-ins
• Avoiding the use of overly descriptive error messages on sites
• Limiting file uploads
• Using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to prevent man-in-the-middle (MitM) attacks, which are typically employed to compromise legitimate sites

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.