A Brief Analysis of the ISIS/ISIL Defacement Campaign

In web security, the role of website defacements is often played down and defacements have received much less attention than phishing and other attacks in the last few years. This is often attributed to the fact that the financial damage is directly quantifiable for phishing, but not in case of website defacements, where it manifests itself as a loss of reputation and/or trust. Yet, each year, many companies become the victim of security breaches and get their website defaced or leak private data. Since the beginning of this year, over 1.6 million defacements were confirmed by Zone-H. This is already nearly as much as we have seen in the whole last year (about 1.68 million defacements were reported in 2013), and an increase of over 34.8% to 2012 (about 1.2 million reported); and keeping into account that November and December are usually the months most affected by defacements, a further increase this year is to be expected [1].

Defacement of the Keighley Cougars

Just last Sunday (November 2nd, 2014), another website defacement received major press coverage (e.g., by the BBC). This time, defacers close to the Islamic State of Iraq and the Levant (ISIL) / and Syria (ISIS) defaced the website of the Keighley Cougars, a rugbly club from England, at 5:59pm UTC. In detail, the defacer group "Team System Dz" added the message "i love you isis", various photos showing drones, jets, and injured people:

Defacement of Keighley Cougars website by Team System Dz.

Defacement of Keighley Cougars website by Team System Dz [2].

The website reads further in a scrolling text:

The State of Islam and the list expands, God willing. Now now fighting began. This time is a time of Islam and victory and Lift the injustice for Muslims and the elimination of America and the allies of the infidels Will not keep silent about one inch of the land of the Muslims. Will not keep silent about one drop of blood of Muslims. Will not keep silent about the symptoms of women and children. Today retrace the pride of Islam and Muslims. The approach of the Muslims in you will make you regret the remorse you and allies. The alliance of all the world against the State of Islam will not succeed and will offer to martyrdom and jihad. The alliance of all the world against the State of Islam will not succeed. The State of Islam and the list expands, God willing. Damn America mask on and on Israel and the countries of the alliance with them.

The club confirmed the defacement shortly after on their Twitter page (19:08 UTC):

Tweet by the Keighley Cougars acknowledging the website defacement by Team System Dz. Reading: "Apologies, the website has been hacked. The developers are working on it. Will let you know when it's back up and running."

Tweet by the Keighley Cougars acknowledging the website defacement by Team System Dz.

The Keighley Cougars' chairmen, Gary Fawcett, rightfully worries in an interview with Keighley News that "thousands of youngsters and fans who avidly follow the Cougars online might be exposed to some of the horrific images of death and mutilation now scrolling on its site." However, given the magnitude of the campaign, it is extremely unlikely that "it was obviously done on a Sunday night when it would be most difficult for anyone to take quick action," as he stated in the interview.

Unsurprisingly, the Keighley Cougars do not host their website themselves. Instead they were the victim of a breach at their hosting provider, likely Webfusion Limited or a reseller thereof, who, at the time of writing, were still hosting other defaced websites at the same IP address that is used to reach the Keighley Cougars (likely the same webserver; suggesting that the breach was handled poorly by Webfusion and not cleaned up properly at all). One such defaced website is band-buses.co.uk by Platinum Band Buses for example. We notified both Webfusion Limited and Platinum Band Buses on November 6th, 2014 about the defacement and it was removed a few hours after [3]. And while the Keighley Cougars remained defaced for only about 16 hours, some other websites defaced in the same attack remained defaced for at least 4 days, and others again from the same campaign are remaining defaced since at least August 28th, 2014.

Magnitude of the Campaign

Overall, Team System Dz has been very active in the last few months, not only in support of ISIS/ISIL, but also in support of a free Palestine. We observed that they defaced over 2,800 websites hosted at over 750 different locations since December 29th, 2013 6:05am (our first data point for Team System Dz), with the most recent one being reported November 7th, 2014 1:52am. On average, Team System Dz defaced over 6 websites each day. We observed most of their defacement in October and November 2014, with 1,065 and 579 defacements respectively. With 579 defaced websites in only the first 8 days of November, we can expect that the number of defacements this month will surpass prior months easily.

The campaign by Team System Dz is also by no means targeted topic-wise, instead they seem to simply attack insufficiently secured hosting providers and, therefore, breach a variety of websites. From Walter Matthias Kunze's private website, a management consultant, whose website -at the time of writing- was still defaced [4], to the website of the University of New Brunswick Student Union in Canada, which was also hosted by a hosting provider (ICS Creative Agency to be precise), to the website of San Diego Chiropractor Dr Greg Wright (and also various other websites hosted by Bluehost Inc./Unified Layer), to the website of the "largest Angel Investing Network in the great state of Texas, and one of the Top 5 most active Angel Investing Networks in the nation", the Central Texas Angel Network.

Just today, November 8th, 2014, Team System Dz further attacked and defaced the websites of the 4-star Begjinhof hotel in Leuven, Belgium, the Association of Journalism Education in the United Kingdom and Ireland, their journal, and the support website C is for Cure for young adults who are affected by cancer [5].

While Facebook has banned all accounts by Team System Dz that we are aware of, their Twitter account @teamsystemdz is still online, but has been inactive since October 19th, 2014.

Parting Words

While there are many ways to prevent basic defacements from happening in pratice, such as setting up proper access control for the webserver and using two-factor authentication, given the large increase of defacements that we have seen in the past years, we remain convinced that it is important to research ways to detect website defacements accurately and in an automated fashion. Once such systems can reliably detect website defacements with high accuracy, checking if your own website has been defaced becomes easier. We are convinced that automated detection systems are important because they can reduce reaction time drastically, automate the repair of defacements, and, in turn, decrease the impact that the website defacements have. If we can remove a defacement within a matter of minutes instead of staying online for weeks and days, and automatically instead of requiring a manual investigation, we reduce the benefit the attackers draw from defacing the website in the first place.

Footnotes

[1]For comparison, while in January to including October 2013, 1.4 million defacements were reported, in the same time frame in 2014, close to 1.6 million defacements were reported. We estimate that about 1.87 million defacements will be reported this year.
[2]We are unsure whether it was removed by Webfusion or Platinum Band Buses, however, we believe that it was the latter as the website is now redirecting to their new domain and because Webfusion responded hours later with instructions of how to use their support website.
[3]Gore and shocking content has been removed from the screenshot so that the post is suitable for most audiences, a screenshot of the defacement including gore and other shocking content can be made available upon legitimate request.
[4]Interestingly, before being defaced, Walter Matthias Kunze's website was being used in the "Canadian pharmacy" scam.
[5]Naturally, we informed the website owners about the defacement, however, they did not yet respond at time of publication.