Old but still works as current campaigns show

Threat actors around the world have long used website defacing as a tactic to advance their political, environmental, or even personal agenda. They essentially replace content on target sites to display their messages through various means, including SQL injection, cross-site scripting (XSS), and other initial compromise techniques.

In 2018, for example, the UK’s National Health Service (NHS) website that housed patient data was downgraded, leading citizens to fear that their personally identifiable information (PII) had fallen between the hands of the attackers.

Dancho Danchev, WhoisXML API threat researcher, provided thousands of email addresses linked to several ongoing website defacement campaigns, which our research team then used to identify trends that could help security teams. cybersecurity to step up their defensive game. Our main findings revealed that:

  • Nearly 90% of email address Indicators of Compromise (IoCs) used free services.
  • Email address IoCs have been distributed among service providers.
  • Email address IoCs have led to the discovery of over 20,000 potentially connected domains, some of which are already detected as malware hosts or phishing sites by various malware engines.

As part of our ongoing efforts to enable cybersecurity analysts and researchers to continue their studies, we have collected all relevant data and made it available to anyone interested. You can download Danchev’s initial report and related threat research documents here.

Email Address IoC Trends

We began our investigation by gathering 2,417 email addresses related to ongoing website defacement campaigns from publicly available threat intelligence sources. A closer look revealed that 2,164 of those email addresses were using free services, led by Gmail. The graph below shows the volume of distribution between service providers and email domains.

We then subjected the email address IoCs to a bulk email verification search and found that:

  • Nearly 90% used free services.
  • Only about 3% failed the format or syntax check, Domain Name System (DNS) check, or Mail Exchange Service (MX) check, which could be related to that the majority of email addresses came from free services. .
  • More than half of IoCs failed Simple Mail Transfer Protocol (SMTP) verification, which could suggest that the email addresses no longer had associated inboxes.
  • Very few email addresses were disposable, which is surprising since this is a common tactic of cybercriminals.

Take a look at the detailed bulk email verification search results below.

Potential threat artifacts discovered

We uncovered 20,024 potentially connected domains because they shared malicious registrant email addresses based on reverse WHOIS lookups, such as:

  • 05film[.]com
  • abercrombiesite[.]org
  • bagipokemon[.]com
  • campbellscashandcarry[.]com
  • dhlna[.]NC
  • she-and-nails[.]in
  • facebook-hk[.]com
  • google-analitlcs[.]com
  • hpsupport247[.]com
  • intel-i7-benchmark[.]com

A mass malware check through the Threat Intelligence Platform showed that 47 of the possibly connected domains were dubbed “malware hosts” or “phishing sites” by multiple malware engines. Examples are shown in the table below.

Malware hosts Phishing sites
10086-hp[.]com
avgantivirus2017download[.]com
cloudflaretestdomain[.]com
make a dungeon[.]in line
focus-visions[.]com
steam community[.]com
vk[.]com

Organizations that are concerned about their websites being defaced might be wary of domains that share characteristics with the malicious properties mentioned above. They should also watch out for domains with the .com, .cn, .net, .us, .org, .icu, .fr, .site, .info, and .in top-level domain (TLD) extensions.


In addition to avoiding the nearly 50 malicious domains identified in this article and other possibly connected web properties that share registrant email addresses identified as IoCs or other characteristics mentioned in this article, organizations would also do well to employ website defacing techniques. to like:

  • Apply the principle of least privilege
  • Avoid using default admin directories and email addresses
  • Limit the use of add-ons and plug-ins
  • Avoid using overly descriptive error messages on sites
  • Limit file downloads
  • Use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to prevent man-in-the-middle (MitM) attacks, which are typically used to compromise legitimate sites

If you would like to carry out a similar investigation or have access to the full data behind this research, please do not hesitate to contact us.

Comments are closed.