Sucuri researchers spotted a campaign of attacks defacing websites using an obfuscation technique that not only made detection difficult but also made it hard for search engines to spot the compromised site as dangerous resources.
Researchers said that when a search engine is indexing a website its robots check the source code for text and metadata but since image files can't be crawled by search engines they don't help identify a potential threat on the compromised site, according to an April 11 blog post.
This is a problem when considering that images can be used to hide malware such as banking trojans from Google or to hide malicious activity form the sites owner which means the hacker could further compromise the site to spread more malware under the radar, the post said.
“The most unique feature of this attack is that it cannot be detected by scanning tools and if there is no meta data (like in the case we described) it cannot be indexed by the search engines,” Yuliyan Tsvetkov told SC Media. “That's why it is hard to detect by webmaster which does not open the site on regular basis, or if there is no specific monitoring for content of the website (the monitoring tools usually use content of the website to monitor its uptime, not only ping).”
The main goal of the attacker is to prove a point and as long as the defacement page stays live, the attacker has more time to show off their achievements and in the case observed, the attacker will increase the lifespan of the attack because the image defacements stay undetected from search engines.
Tsvetkov said attackers aren't targeting any type of site in particular but are instead going after websites with poor security policies. Users can protect themselves from these attacks by using good cybersecurity hygiene such as strong passwords that are frequently changed, constantly monitoring the site key, and using strong passwords for their SFTP/FTP accounts.
“Never keep your passwords unchanged for long time as your FTP/SFTP accounts might be bruteforced and you will not know that,” Tsvetkov said. “Also we suspect that in some cases there are remote execution vulnerabilities that allows the attackers to change the victims index files, or even delete the whole sites and place only the defaced image + php code.”