Sporting and competition are a mainstay of the human spirit. And in that spirit, we find new ways to compete. A classic example of this is website defacement, where a malicious hacker compromises a website and uses the page itself to show off their conquest. A WatchGuard customer recently submitted a domain that they flagged for phishing. We visited the page epiphanygrowers[.]com, and quickly saw one threat actor’s take on defacement.
Initially, the page was blank with this pop-up window.
After clicking OK above, it brought another pop-up window.
A bit of side tracking, but when researching ‘Bang Jago’ it led to the Indonesian meme ‘Ampun Bang Jago’ which is a popular song. While you may not know the reference as a large audience here isn’t Indonesian, you likely heard this song if you saw this video. It is of fitness instructor working out in front of a Myanmar roadway as a coup was taking place behind her.
Continuing after clicking OK on the second pop-up window we arrived at this page.
The page looks a bit scary and worrisome, right? In the grand scheme of website compromises this is very tame as it was only a website defacement. There wasn’t any hidden malware or attempt to steal credentials as is commonplace. Website defacement, on its own, isn’t considered a serious attack. If anything, it notifies the website owner that it is vulnerable while not causing any further harm. This isn’t to condone the behavior of “hackers being hackers”, but to say that the website owner may have got off lucky.
As visible on the page, the text is a mixture of English and Indonesian. The photo has text on it that says, “I am HAPPY”, and the line below says, “Hacked By DevilXploit”. The next line is, “Aku Mencintaimu , Tetapi kamu Mencintai Orang Lain :)” which translates to “I love you but you love someone else :)”. The last text cutoff at the bottom of the image says “Ganteng Doang… Ndak Bisa Ngehek”. This translates to “Only/Just Handsome … cannot be ridiculous”. The translation is courtesy of Google Translate.
We can find traces of the attacker DevilXploit online . There is a second website that is still actively compromised at rogueailer[.]com. The same defacement page can be found there. A few defacement tracker websites had data on DevilXploit. This includes deface[.]id, zone-d[.]org, and zone-hack[.]org. One of the websites has a user listed as Sacred Devil Xploit which could be an alternative name for DevilXploit.
As website defacement is a considered sport to some, teams play a role. DevilXploit is associated with two teams. They are the Indonesia Defacer Team and the Kalimantan6eatar Xploit Sec team. The legend (seen below) shows different avenues to achieve points. The simplest is defacing just the homepage as you saw in the example shown above. There are other point opportunities by defacing additional pages on a domain, or by defacing important domains such as government websites.
Both epiphanygrowers[.]com and rogueailer[.]com have yet to be tallied. These websites may only act as archives and not hold the most up-to-date data as we can see the latest cataloged defacement date is January 9th 2021.
Now, this defacement competition may be more competitive than expected. We first found DevilXploit’s defacement of epiphanygrowers[.]com on 3/13/2021 and when we returned to the domain to write-up on it on 3/17/2021 we found it had been defaced by a new attacker, XNight.
The defacement page by XNight.
XNight seems to be a proud team player. They listed their teammates and team, The Black Paper, on the defacement page. Like DevilXploit, you can find the attacker XNight and their team on the defacement competition websites. XNight has yet to be awarded for defacing epiphanygrowers[.]com.
Website defacement isn’t only for sport. Hackivists deface websites to protest an organization by posting an opposing view. While some websites may be a low-value target, it can cause serious harm to others in terms of security credibility or the impression of it. Therefore, it is important to take preventative measures to avoid website defacement. Those include keeping your software updated, removing unnecessary plugins, and updating the ones you have, limiting privileged access to website editing, and to conduct vulnerability tests to catch any holes before the attackers.