Malicious Image Defacement Hidden from Search Engines

After carefully designing a theme and images that represent your brand, nothing is worse than seeing a malicious image suddenly associated with your business or website.

In a recent blog post, we discussed a case in which a lewd image appeared in the Google Maps Images section for one of our client’s businesses. Today we take a look at another way unwanted images can ruin a website’s reputation: website defacement.

What Is a Website Defacement?

Website defacement is a hack that often involves adding malicious images to the website homepage and other important pages. Beyond the embarrassment, the effects can include loss of traffic, revenue, and trust in your brand.

Defacements are effective because they are simple, requiring little technical knowledge. They are often used by bad actors to spread awareness to an issue (often referred to as “hacktivism” – whether social or political). They also adversely affect the way your audience relates to your brand. This is especially true if you have an ecommerce site, where potential customers believe that security is an issue on your site.

Although we clean many malicious attacks that steal sensitive data, website defacements still make up about 4% of the malware families we track. Since a defacement is highly visible, they are usually noticed right away by visitors and dealt with quickly by website owners.  When looking for defacements, most security scanners are looking for keywords, because when an attacker uses something like an image, it dramatically increases the detection complexity.

Hidden Defacement Images

Recently our team found an interesting case where the defacement page was more than just a simple HTML injection. Instead, this type of defacement used an obfuscation technique that not only made detection more difficult but also harder for search engines to identify the affected pages as dangerous resources.

Here’s the image the hacker used on the victim’s site.

The following PHP snippet is an example of the technique being used to declare the image as a variable and echo it in the img tag.

When a search engine is indexing a website, its robots crawl the source code for text and metadata. Image files cannot be crawled by search engines, so they do nothing to help identify what your website is about. This is why SEO practitioners add the alt attribute to describe the content of the source image.

Due to this fact, image files are a good place to hide malware from Google. We have seen image files used most recently to store stolen credit card data from ecommerce sites.

In this case, the hacker used tactics to hide any sign of malicious activity from the website owner. This means the hacker still has access to the site and can use it to further spread malware and spam under the radar.

Monitor and Protect Your Brand

One of the issues with defacements is that they don’t do anything obviously nefarious, like what you would expect from malicious redirects, SEO spam, malicious downloads, or customer data breaches.

Defacements demonstrate a weakness in your website security posture. The attacker might have put up a very simple HTML page, but across all infected websites we see, around 67% have additional payloads, including backdoors. While defacements are often ignored and seen as more of a nuisance, they are a sign that someone has access to your environment. What you see on the surface is likely not telling the whole story of everything the attacker is really doing with your web property.

If you don’t have a file monitoring system in place, you might not identify the issue unless you visit the defaced resource or receive a message from a visitor. From a proactive standpoint, having a Website Firewall can help prevent the attacker from gaining access to your site at all.

If you think that you are victim of an attack and want your website checked, you can rely on the security professionals here at Sucuri.

You May Also Like