Defaced websites are a type of hack that is easy to notice and a pain for website owners. Recently, we came across some defacement pages with a peculiar JavaScript injection included in the source code.
What is a Defacement?
Website defacement is a hack that often involves adding malicious images to the website homepage and other important pages. Beyond the initial embarrassment, the effects of defacement can include loss of traffic, revenue, and trust in your brand.
Defacements are usually simple, requiring little technical knowledge. Hackers often use them to spread awareness of an issue and it’s often referred to as “hacktivism” – whether social or political.
A defaced website also adversely affects the way your audience relates to your brand. This is especially true if you have an e-commerce site, because potential customers may believe that security is an issue on your site and can be lost forever.
How Often Do You See Defaced Websites?
In our latest hacked website trends report, we show that website defacements make up about 5.5% of the malware families we tracked in 2017. This is an increase of 1.5% compared to the total compromised websites cleaned by Sucuri in 2017.
Since a defacement is highly visible, they are usually noticed right away by visitors. Therefore, website owners deal tend to deal with them quickly.
When looking for defacements, most security scanners search for keywords, such as “hacked by ____”.
The JavaScript Injection
As you will see below, this JavaScript injection is peculiar as it seemingly provides no benefit to the hacker:
The injected JavaScript code contains some details from the client’s connection to the HotSpot Shield VPN server, then runs a JavaScript file from box.anchorfree.net
This type of content has not been seen in any other form of malware; only the typical “Hacked by _____”, or “Owned by _____” message, or an otherwise unwanted defacement of someone’s website.
The HotSpot Shield Free VPN
A single Google search revealed that anchorfree.net is associated with the popular HotSpot Shield VPN. It has millions of downloads in the Google Play Store alone (HotSpot Shield VPN also offers browser plugins for non-mobile users).
There is a free and a paid version of their VPN service. However, in the last year or so, there have been demands for federal authorities to investigate them for deceptive practices, detailed in the official complaint against them.
So what does this have to do with hackers and their defacement pages? Well, we know (in the majority of cases) hackers want to be anonymous. Nowadays, that usually involves using at least one VPN or more.
Nevertheless, hackers (or script kiddies) who perform defacements are often inexperienced. They may lack the suspicion one should have when dealing with “free” services, like HotSpot Shield VPN, or any other free online services. The question they should ask is, how do they monetize their operation?
HotSpot Shield’s particular form of monetization is to inject JavaScript code into the browser requests of their non-paying users (we don’t know if this is true for the premium paid version). The malicious code is then used with additional JavaScript from a few other third-party domains:
The snippet above is just a small excerpt of the nearly 2,000 lines of JavaScript. The code includes hidden CSS styling and an invisible iFrame, both popular method of delivering JavaScript payloads. As well, this code from the attacker-controlled domain uses tracking images and injects advertisements into the client’s browser.
Hackers Can Be as Vulnerable as Anybody Else
The purpose of explaining how HotSpot Shield VPN works is to show that even hackers can be victims of one of the biggest hurdles in website security: the human’s ability to override otherwise secure settings.
This is most common instance is downloading some type of software – in this case, a free VPN service –unknowingly exposing the user to malware or PUPs (potentially unwanted programs).
Another common instance of this human factor is social engineering; a psychological manipulation that is performed in order to obtain personal information or to have somebody perform unwanted actions.
In short – it is very important to always be suspicious of products advertised as “free”. One must ask what the product or service may be giving away, taking advantage of, or exposing in exchange for their free service.
What Happened to the Defaced Websites?
In these defacement cases, the inexperienced hacker relied upon a free VPN service that unknowingly injected JavaScript to his browser.
When the attacker created the defacement page (through an online editor or browser interface), this caused the HotSpot Shield VPN JavaScript to get passed as text to the page, rather than executing within the client’s browser as it was intended.
How Can I Protect My Website Against Defacement?
If you are concerned your website could be defaced, we highly advise taking precautions. First of all, have a website application firewall activated in your website so you reduce the risk of having a website infection. Then, have a good backup solution to ensure you can get up and running in case of a catastrophe.