In today’s business climate, your website is your brand, your public face and your business platform. Now imagine if attackers were to hijack your website and replace your content with something offensive, illegal, inflammatory or embarrassing. Website defacement, where attackers replace your website’s content so users see what the attackers want, can be devastating for your business.  And these types of attacks are on the rise.  Read this short article to learn more about this cloud security threat and then get all the details in the full Q1 2015 State of the Internet Security Report at http://bit.ly/1KfWTrG

1. akamai.com
[Q1 2015] Website Defacement & Domain Hijacking

2. Many attacks observed in Q1 2015 revolved around
defacement and hijacking – controlling the content a user sees
when accessing a website
• Attacks can be carried out for notoriety, or to spread a
message, or to phish for user information
• Threats are not new but the tactics remain popular
= emerging threat: website defacement
2 / [The State of the Internet] / Security (Q1 2015)

3. = mass web defacement
3 / [The State of the Internet] / Security (Q1 2015)
• In Q1 2015, a group of malicious actors claimed to have
hacked hundreds or thousands of websites in a single night
• Many of these websites had the same IP address
• The attackers had exploited automation to attack many sites
hosted on the same servers

4. = mass web defacement: methods
4 / [The State of the Internet] / Security (Q1 2015)
• Hosting services may host hundreds of websites on a single
server
• Mass defacement attacks exploit improper security settings
to access files outside assigned directories
• A single vulnerable website can allow attackers to view files
elsewhere on the server
• Attackers then search for user account names and
passwords to gain write access to those accounts
• Using a script, these credentials are used to automatically
login to each account and replace the valid files with the
attacker’s desired content

5. = website defacement: protection and mitigation
If you have been attacked:
• Move to a new hosting provider with better security
To prevent attacks and judge risk:
• Check if other websites on the same IP show hallmarks of
compromise
• If your provider allows, test if your server is vulnerable by
attempting to view the web space of other accounts hosted
by the provider

6. = domain hijacking
5 / [The State of the Internet] / Security (Q1 2015)
Domain hijacking attacks alter a domain’s DNS records to
redirect web and mail traffic to an IP of the attacker’s choice
• Bypasses even the best server security if registrar level is not
properly controlled
• Requires attackers to gain access to a domain registrar
account
• Name server changes can take 24 to 48 hours to go through,
allowing the malicious changes to remain for a long period

7. • Targeted spear-phishing of personnel likely to have registrar
access
• Email credentials often obtained from domain administrator
• Email can be used to request a password reset, getting full credentials
• Registrar account used to make changes to name server
records, redirecting web traffic to attacker’s IP
• Entire zone file, including mail exchange, may be changed
• Intercepted mail can be used to obtain credentials for other accounts and to
intercept password reset attempts
• Attackers could maintain control over all administrative accounts for a
domain name
= domain hijacking: methods
6 / [The State of the Internet] / Security (Q1 2015)

8. = domain hijacking: protection and mitigation
7 / [The State of the Internet] / Security (Q1 2015)
Protection against domain hijacking attacks takes two forms:
• Prevent access to domain registrar credentials
• Use two-factor authentication for email services to protect against phishing
• Do not reuse the password on a site’s registrar account
• Use registrar locks to prevent unauthorized changes
• Confirms changes with previously agreed-upon contact
• Response may be slow, so keep in mind if you may need rush changes

9. Download the Q1 2015 State of the Internet Security Report
• The Q1 2015 report covers:
⁄ Analysis of DDoS and web application attack trends
⁄ Bandwidth (Gbps) and volume (Mpps) statistics
⁄ Year-over-year and quarter-by-quarter analysis
⁄ Attack frequency, size, types and sources
⁄ Security implications of the transition to IPv6
⁄ Mitigating the risk of website defacement and domain hijacking
⁄ DDoS techniques that maximize bandwidth, including booter/stresser
sites
⁄ Analysis of SQL injection attacks as a persistent and emerging threat
= Q1 2015 State of the Internet –Security Report
9 / [The State of the Internet] / Security (Q1 2015)

10. • StateoftheInternet.com, brought to you by Akamai,
serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamai’s State of the Internet
(Connectivity and Security) reports, the company’s data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.
= about stateoftheinternet.com
10 / [The State of the Internet] / Security (Q1 2015)