|
Threat actors the world over have long been employing website defacement as a tactic to further their political, environmental, or even personal agenda. They essentially replace the content of target sites to display their messages through various means, including SQL injection, cross-site scripting (XSS), and other initial compromise techniques.
In 2018, for instance, the U.K. National Health Service (NHS) website that hosted patient data was defaced, causing citizens to worry that their personally identifiable information (PII) may have fallen into the attackers’ hands.
WhoisXML API threat researcher Dancho Danchev provided thousands of email addresses connected to several ongoing website defacement campaigns, which our research team then used to identify trends that could help cybersecurity teams up their defensive game. Our main findings revealed that:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download Danchev’s initial report and related threat research materials here.
We began our investigation by collating 2,417 email addresses connected to currently ensuing website defacement campaigns from publicly accessible threat intelligence sources. Greater scrutiny revealed that 2,164 of these email addresses used free services, topped by Gmail. The chart below shows the distribution volume across service providers and email domains.
We then subjected the email address IoCs to a bulk email verification lookup and found that:
Take a look at the detailed bulk email verification lookup results below.
We uncovered 20,024 possibly connected domains since they shared the malicious registrant email addresses based on reverse WHOIS searches, such as:
A bulk malware check via the Threat Intelligence Platform showed that 47 of the possibly connected domains were dubbed either “malware hosts” or “phishing sites” by several malware engines. Examples are shown in the table below.
Malware Hosts | Phishing Sites |
---|---|
10086-cv[.]com avgantivirus2017download[.]com cloudflaretestdomain[.]com donategame[.]online focus-visions[.]com | steeamcommunity[.]com vk[.]com |
Organizations wary of having their websites defaced could watch out for domains that share characteristics with the malicious properties named above. They should also watch out for domains sporting the top top-level domain (TLD) extensions .com, .cn, .net, .us, .org, .icu, .fr, .site, .info, and .in.
Apart from steering clear of the close to 50 malicious domains identified in this post and other possibly connected web properties that share the registrant email addresses identified as IoCs or other characteristics mentioned in this post, organizations would also do well to employ anti-website defacement techniques like:
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global