Website defacement: A 3-step defence

The Cyber Security Agency (CSA) of Singapore recently reported that there were 419 defaced ‘.sg’ websites in 2021, which is a decrease of 15% from 495 in 2020. This downward trend could be attributed to hacktivist activities moving to other platforms with a potentially wider reach, such as social media sites.

Understanding website defacement attacks

Website defacement is not new. Simply put, it’s virtual graffiti where hackers vandalise a website by changing its appearance or content. Sometimes, they might even subvert the website by injecting malicious code that infects its visitors’ computers or phones with viruses, execute phishing scams, or install crypto miners.

A notable example happened in 2002 when hackers placed a fake front page and six stories on the front page of USA Today’s website. In 2013, the Singapore prime minister’s website was defaced by hackers. More recently, Ukraine claimed its government websites were defaced.

Website defacement can be accomplished by gaining access to a company’s content management system (CMS). Many sites, including those of news media and retailers, are driven almost entirely by a CMS, and if the bad actors can break into that system by stealing credentials, exploiting software vulnerabilities, or gaining access to private networks, they can change the displayed content quite easily.

No matter the technical cause, this is serious. Cyberattacks against public-facing websites, regardless of size, are common and may result in website defacement and other forms of vandalism. Such attacks can gravely damage the reputation of the website and its owner. For example, corporate and personal websites that fall victim to defacement may experience financial loss due to eroded user trust or a decrease in website visitors.

That brings up the question of motivation. Sometimes, defacement is a crime of opportunity. Hackers want to plant malware, and scan high-traffic websites looking for vulnerabilities that will give them access to the front-end web server or the back-end content database. Yet other times, vandals deliberately target a specific government agency, business, or non-profit organisation.

The motives vary. Perhaps the hackers wish to specifically hurt or embarrass a company. Perhaps they want to plant malware to help them mine cryptocurrency using unwitting visitors’ computers, or to steal end-user credentials. Perhaps they are seeking to make a political statement. Perhaps they’re bored or just showing off. Perhaps they are looking to gain attention for themselves or their cause. Perhaps it’s a dry run for a state-sponsored entity’s cyberwarfare brigade. Who knows?

At the end of the day, the reasons for the attack shouldn’t matter, at least not to the victim. Leave those psychological analyses and crime forensics to the police or the Security and Intelligence Division, while you focus on the real challenges of keeping your corporate IT assets — including your website — safe and secure from hackers and vandals.

Could your company’s site be defaced by competitors, hacktivists, state-sponsored actors, or even those seeking to plant malware onto unsuspecting end users? It’s possible. Fortunately, it’s also preventable.

Dealing with website defacement

Here is a three-pronged approach to preventing, responding to, and rebuilding after a website vandalism attack:

  1. Plan. Seek to prevent an attack by hardening your defences, enabling strong encryption and user authentication systems, ensuring there are no exploitable vulnerabilities, and creating comprehensive data backups.

    Check your software platforms: Have you installed all the patches and fixes? Are you monitoring industry threat notifications for warnings about new vulnerabilities? Are your contractors and in-house software developers following the best practices for secure programming and testing? Are your vendors performing at the highest, most secure level, such as by seeking ISO 27001 certification?

    To borrow a concept from the airline industry, make sure aircraft materials are not easily flammable, nothing can make sparks, and smoking is prohibited near the fuel depot.
  1. Respond. Assume your preventative measures won’t be sufficient to block the attack. If vandals manage to gain access to your systems, it’s essential to detect and react quickly before damage can occur. For detection, monitor your logs, look for anomalies, and be wary of anything out of the usual. Respond by setting up measures to take down your website automatically if vandalism or other breaches occur, while sealing everything off to prevent further harm, preserve evidence, and begin the recovery.

    Continuing the airline comparison, install heat and smoke detectors and automatic sprinklers in case a fire does break out, with lots of red lights and sirens. 
  1. Recover. You don’t want to plan for failure, but you should always assume that an attack will succeed. Make sure those backups work. Prepare for contingencies of all sorts. Put up a “This page is down for maintenance” message on your site. Use it until an off-site server or failover database goes online, to hold you over while you restore the damaged systems. Have a media response plan in place, and know how to contact the relevant hosting companies, software vendors, customers, partners, and law enforcement.

    By analogy, that’s why aircraft have drop-down oxygen masks, and why the flight attendants always explain what to do in the event of a water landing, while the airline knows how to contact family members if the unthinkable happens.

Plan, respond, and recover – or your site might be next on the vandal’s graffiti hit list.