Modern Approach to Website Defacement 

Modern Approach to Website Defacement 

Recently, in the course of their regular investigations, Cyble researchers have come across a modern approach to website defacement.  

Website Defacement is a type of cyberattack in which a threat actor hacks your website and leaves a mark through digital vandalism. This appears in the form of an appearance change with pictures and/or words scrawled across the defaced website. Most cyber-attacks conducted today like ransomware attacks are driven by financial gain. However, in the case of defacement, the attacker is not motivated by financial gain and instead wants to leave their mark with specific messages that can also be loaded with religious or political ideology. Website defacement adversely impacts the brand reputation which is a critical asset for organizations. 

Figure 1 Different messages by hackers on defaced websites 

Hackers can use multiple ways to hack into a website. But the most common way hackers employ in defacing a website is a known security vulnerability that is not patched. In the recent research conducted by Cyble, we discovered that Mass Defacement is the most common way in which attackers deface websites. 

Mass defacement – In the case of mass defacement, attackers leverage a known security vulnerability on servers like win2012, win2016, win 2008, FreeBSD, and F5 Big-IP. This is followed by running a publicly available exploit through the list of available domains/IP addresses to automatically deface the website and report it back to the threat actor. The image below showcases the statistics of defaced websites maintained by Zone-H.Source: 

Hackers use Google Dorks and Shodan Dorks to identify vulnerable servers or vulnerable plugins that can be used as attack surface for modifying the content of a website.  


Once they find the servers or plugins using Google Dork or Shodan search engine, they create a list of websites to be used for the mass defacement of websites. The next step for them is to run a script containing the exploit of the vulnerabilities that will automatically deface the websites and report the list of all such defaced websites to the attacker. For example, an attacker may target a specific type of vulnerability in IIS Servers which allows them to upload a shell on the server and take control of it, such as a server affected by CVE-1999-0360

The attacker will use the publicly available exploit for the specific CVE to upload the Malicious shell on the server. In the below image you can see a PUT request using which an attacker can upload a malicious script on the server which will give control to the attacker then they will deface the website. 

Figure 2 Exploit Code 

Figure 3 shell  

In certain sophisticated attacks, the actor uses Zero-Day vulnerability to deface the website. 

Below is the daily statics of such website defacement attacks, which shows that on an average, more than 1000 attacks take place every day. 

Chart, line chart

Description automatically generatedSource: 

A large number of hackers and hacking groups are involved in the defacement of websites, and some of the most active hackers are shown in the image below.  


Presently, hackers share scripts and code publicly on their website. Some even provide online tools to deface a website. Below is a screenshot of one of the attacker group websites that provides different kinds of scripts and tools required for hacking a website. 

The consequences of website defacement likely result in a blacklist from google search results and other search engines. This also impacts the trust of visitors as upon visiting the website, they are sure to see the signs of hacking. 

Cyble is continuously monitoring for these kinds of cyberattacks using its brand monitoring capabilities to inform clients of such a threat before it can take place. 

Our Recommendations: 

  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Always check for proper input sanitization which may cause xss, or Sql injection vulnerability. 
  • People concerned about their exposure in the Dark web can register at to ascertain their exposure.  
  • Give Admin privileges to only trusted and audited applications.  

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Scroll to Top