akamai’s [state of the internet] / security
Q1 2015 State of the Internet Security Report — Website Defacement Selected excerpts
Akamai’s Q1 2015 State of the Internet Security Reports highlights one type of attack notably observed this year – forms of website defacement and hijacking. By exploiting vulnerabilities in website hosting, attackers can replace the content normally shown on a website, or redirect users to other websites, to show the attackers’ content – for a wide array of malicious intent. However, these attacks can be defended against or avoided. Website Defacement
Hundreds of companies sell server hosting, where many accounts pay to host websites on that company's servers. With many domains and sites being hosted on the same server, the chance that at least one of those sites is vulnerable to file uploading attacks is very high and if the server is not properly secure in preventing accounts from accessing files outside of their assigned directory, then an attacker can leverage that one compromised website to gain access to other accounts on the host server.
First, an attacker gains a foothold on the server, searching for sites with vulnerable software through tools as simple as Google search. Once they find software with vulnerabilities that they can exploit for file uploading, the attacker can Figure 1: One defaced website served up pro-ISIS materials install scripts that allow them to view and traverse the server's directory structure, looking for lists of account names and passwords they can use to gain access to other websites. Once the attacker has acquired a large quantity of account credentials, a mass defacement script is used to automatically gain access to each account, replace the target files with their own, and move on to the next website - systematically defacing potentially hundreds of websites in a single stroke. Domain Hijacking
These attacks can often be prevented by using better protections for web server security. However, early in Q1, Akamai observed a form of attack that could bypass server security entirely. Domain hijacking allows malicious actors to alter the DNS records for a website, so that requests to look up that website point to a server of the attacker's choice.
akamai’s [state of the internet] / security
The attack works through spear-phishing attempts on IT, finance, human resources, and other staff who may have access to domain registration accounts. Very often, access is gained by phishing email credentials from the site's domain administrator. With these credentials, the attacker can perform a password reset on the registrar's site, thereby obtaining administrative access and a password. The malicious actor can then log in to the registrar and make changes to name server (NS) records for both web and email servers, redirecting traffic from this domain to an IP address the attackers control. NS record updates may often take 24 to 48 hours to go through, so the effects of this attack can last for a considerable time before site administrators are able to revert the changes.
Get the full Q1 2015 State of the Internet — Security Report with all the details, including defense and protective measures
Each quarter Akamai produces a quarterly Internet security report. Download the Q1 2015 State of the Internet —Security Report for: • • • • • • • •
Analysis of DDoS and web application attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Attack frequency, size, types and sources Security implcations of the transition to IPV6 Mitigating the risk of website defacement and domain hijacking DDoS techniques that maximize bandwidth, including booter/stresser sites Analysis of SQL injection attacks as a persistent and emerging threat
The more you know about web security, the better you can protect your network against cybercrime. Download the free the Q1 2015 State of the Internet — Security Report at http://www.stateoftheinternet.com/security-reports today. About stateoftheinternet.com
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.