Trend Micro was recently involved in assisting with an incident involving the website of the Office of the Prime Minister of Singapore.
At first, it seemed that the website had been defaced by the well-known hacktivist collective Anonymous. On November 8, 2013 visitors to the site were reporting that they were seeing the image below.
The world has been on heightened alert for possible activity by Anonymous because of Guy Fawkes night on November 5, 2013. And website defacements of political sites are a common tactic of the group. So when visitors saw this on November 8, it seemed like another political site had been hacked by the group.
But not everything is as it seems. Our teams worked with the Prime Minister’s Office on this issue and found that the website hadn’t been defaced. Our research found first of all that this was only being seen by people who came to the site by way of social media. Direct visitors to the site weren’t seeing this image.
Looking more closely, our researchers realized what was going on. The Prime Minister’s website suffered from a cross-site scripting (XSS) vulnerability that made it possible for people to craft URLs for the website so that when users clicked on them it seems that they were on the site and it had been defaced. The “defacement” was actually hosted elsewhere.
There’s no evidence that Anonymous was involved in this (though also no evidence that they weren’t). But one lesson from this is that things aren’t always what they seem. Another lesson is that thirteen years after cross-site scripting was first understood, it’s still a major problem even for professional websites and that manual inspection just doesn’t work. While all the attention may be on the shiny APT problem, good old-fashioned web and infrastructure attacks are still a problem. Criminals don’t drop one focus for another: they continue adding focuses. This underscores why additional protections for web and infrastructure are still needed to help keep problems like this under control.