[Q1 2015] Website Defacement & Domain Hijacking
akamai.com
= emerging threat: website defacement
Many attacks observed in Q1 2015 revolved around defacement and hijacking – controlling the content a user sees when accessing a website • Attacks can be carried out for notoriety, or to spread a message, or to phish for user information • Threats are not new but the tactics remain popular
2 / [The State of the Internet] / Security (Q1 2015)
= mass web defacement
• In Q1 2015, a group of malicious actors claimed to have hacked hundreds or thousands of websites in a single night
• Many of these websites had the same IP address • The attackers had exploited automation to attack many sites hosted on the same servers 3 / [The State of the Internet] / Security (Q1 2015)
= mass web defacement: methods
• Hosting services may host hundreds of websites on a single server • Mass defacement attacks exploit improper security settings to access files outside assigned directories • A single vulnerable website can allow attackers to view files elsewhere on the server • Attackers then search for user account names and passwords to gain write access to those accounts • Using a script, these credentials are used to automatically login to each account and replace the valid files with the attacker’s desired content
4 / [The State of the Internet] / Security (Q1 2015)
= website defacement: protection and mitigation
If you have been attacked: • Move to a new hosting provider with better security
To prevent attacks and judge risk: • Check if other websites on the same IP show hallmarks of compromise • If your provider allows, test if your server is vulnerable by attempting to view the web space of other accounts hosted by the provider
= domain hijacking
Domain hijacking attacks alter a domain’s DNS records to redirect web and mail traffic to an IP of the attacker’s choice • Bypasses even the best server security if registrar level is not properly controlled • Requires attackers to gain access to a domain registrar account
• Name server changes can take 24 to 48 hours to go through, allowing the malicious changes to remain for a long period
5 / [The State of the Internet] / Security (Q1 2015)
= domain hijacking: methods
• Targeted spear-phishing of personnel likely to have registrar access • Email credentials often obtained from domain administrator • Email can be used to request a password reset, getting full credentials
• Registrar account used to make changes to name server records, redirecting web traffic to attacker’s IP • Entire zone file, including mail exchange, may be changed • Intercepted mail can be used to obtain credentials for other accounts and to intercept password reset attempts • Attackers could maintain control over all administrative accounts for a domain name
6 / [The State of the Internet] / Security (Q1 2015)
= domain hijacking: protection and mitigation
Protection against domain hijacking attacks takes two forms: • Prevent access to domain registrar credentials • Use two-factor authentication for email services to protect against phishing • Do not reuse the password on a site’s registrar account
• Use registrar locks to prevent unauthorized changes • Confirms changes with previously agreed-upon contact • Response may be slow, so keep in mind if you may need rush changes
7 / [The State of the Internet] / Security (Q1 2015)
= Q1 2015 State of the Internet –Security Report
Download the Q1 2015 State of the Internet Security Report • The Q1 2015 report covers: ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄ ⁄
Analysis of DDoS and web application attack trends Bandwidth (Gbps) and volume (Mpps) statistics Year-over-year and quarter-by-quarter analysis Attack frequency, size, types and sources Security implications of the transition to IPv6 Mitigating the risk of website defacement and domain hijacking DDoS techniques that maximize bandwidth, including booter/stresser sites Analysis of SQL injection attacks as a persistent and emerging threat
9 / [The State of the Internet] / Security (Q1 2015)
= about stateoftheinternet.com
•
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q1 2015)