Conference PaperPDF Available

Hacktivism and Website Defacement: Motivations, Capabilities and Potential Threats


Abstract and Figures

Hacktivism and website defacement seem often to be linked: websites are defaced by hacktivists on a daily basis for many different reasons. However, due to a lack of studies of this phenomenon, it remains unclear as to what, exactly, their socio-psychological motivations are, what their modus operandi is, and whether the combination of these factors poses a serious threat to corporations and governmental organizations. In order to answer these questions, this paper provides a qualitative analysis of the motives and intentions of hacktivists, and a qualitative analysis of their modus operandi. It seems that hacktivists who deface websites have multiple ideological and psychological motivations for their actions. Although the socio-political motivations appear to be the most important, other triggers-such as thrill seeking and increasing self-esteem-also play a relevant part. The investigation into the modus operandi has revealed that hacktivists often use known and relatively unsophisticated vulnerabilities and techniques. In addition, they use publicly available tools, but are also able to create their own. Targets seem to be chosen based either on how easy they are to hack and/or on the potential amount of attention the defacement is likely to receive. The methodology of this research involves an extensive review of the existing literature on the topic, corroborated by several interviews with hacktivists and experts in the fi eld of information and cybersecurity. The researchers conducted an analysis of forensic data gained from a honeypot server created ad hoc for this research, and examined technical data from over 7 million defacements based on the dataset of the Zone-H Defacement Archive.
Content may be subject to copyright.
Marco Romagna & Niek Jan van den Hout
The Hague University of Applied Sciences,
The Netherlands
Email {m.romagna, n.j.vandenhout}
Hacktivism and website defacement seem often to be linked:
websites are defaced by hacktivists on a daily basis for many
different reasons. However, due to a lack of studies of this
phenomenon, it remains unclear as to what, exactly, their
socio-psychological motivations are, what their modus
operandi is, and whether the combination of these factors
poses a serious threat to corporations and governmental
In order to answer these questions, this paper provides a
qualitative analysis of the motives and intentions of
hacktivists, and a qualitative analysis of their modus operandi.
It seems that hacktivists who deface websites have multiple
ideological and psychological motivations for their actions.
Although the socio-political motivations appear to be the most
important, other triggers – such as thrill seeking and increasing
self-esteem – also play a relevant part. The investigation into
the modus operandi has revealed that hacktivists often use
known and relatively unsophisticated vulnerabilities and
techniques. In addition, they use publicly available tools, but
are also able to create their own. Targets seem to be chosen
based either on how easy they are to hack and/or on the
potential amount of attention the defacement is likely to
receive. The methodology of this research involves an
extensive review of the existing literature on the topic,
corroborated by several interviews with hacktivists and experts
in the fi eld of information and cybersecurity. The researchers
conducted an analysis of forensic data gained from a honeypot
server created ad hoc for this research, and examined technical
data from over 7 million defacements based on the dataset of
the Zone-H Defacement Archive.
In March 2017, between Sunday 11 March and Monday 12
March, many Dutch websites were allegedly targeted by
Turkish hacktivists following a political spat between the
Netherlands and Turkey [1]. The trigger for the attacks was the
refusal of the Dutch government to allow Turkish offi cials to
enter the Netherlands in order to rally expat voters for the
upcoming Turkish constitutional referendum (Fox-IT1 [2]). The
campaign became known as the ‘Netherlands Operation’.
Dutch domains were not the only targets of the attackers, who
mainly employed DDoS, website defacements and social
network account defacements as forms of disruption.
1 Fox-IT is a Dutch company, part of NCC Group, that works in the
elds of cybersecurity and risk mitigation, and helps businesses to
protect their brand, value and reputation against the ever-evolving
threat landscape.
According to CNBC journalist Arjun Kharpa [3], hundreds of
Twitter accounts, from those of media outlets to those
belonging to celebrities, were hacked and branded with the
Turkish fl ag and messages in Turkish. In its analysis of the
attack, Fox-IT [2] noted that many of the methods and
techniques used were relatively simple and could have been
executed by any person with basic hacking knowledge and
This episode might lend credence to two hypotheses: 1) the
cybersecurity of many websites is still low, considering the
fact that the methods used for defacement are usually quite
simple. 2) Website defacement still plays a relevant role
among hacktivists, and is one of their favourite tools for
promoting ideological and socio-political goals. As Samuel [4]
noted, a ‘site defacement consists of hacking into a web server
and replacing a web page with a new page bearing [… a
socio2]-political message’. At the time Samuel wrote this, in
2004, there were probably several defacements that targeted
specifi c organizations, as hacktivists wanted to make a
statement, to criticize those precise organizations (normally
corporations or governments) [4].
An early example is an attack against the US Department of
Justice web server that dates back to 1996. In the fi rst known
defacement launched by hacktivists, the protests were directed
against the Communications Decency Act (CDA) with its
provisions for screening offensive material online [5].
Hacktivists reacted in a very provocative way, displaying on
the homepage of the Department the words ‘Department of
Injustice’ and showing pornographic images.
Nowadays, we witness a different tendency: during the
‘Netherlands Operation’, conducted by Turk Hack Team and
by other groups, hacktivists did not limit their defacements to
specifi c websites that could have been connected in some way
with the Dutch-Turkish tensions (such as law enforcement
agencies or government websites), but randomly chose web
pages that were completely unrelated to the political issue (as
long as they were registered as Dutch domains). The situation
was different for the DDoS attacks, where hacktivists hindered
the websites of the Dutch police, some political parties (VVD,
PVV) and media outlets (NOS and The Telegraph) [2]. This
trend seems to be confi rmed in the analysis of the data
provided by the Zone-H Defacement Archive3, and in the
words of some of our interviewees.
Hacktivists now seem more likely to deface any websites with
poor security measures (no matter the topic of the site) in
order to spread a message. It therefore appears that the target
per se is no longer so important, while the visibility
(calculated on the number of defaced websites) represents the
main element. In a way, this becomes even more true when the
defacements are part of larger attacks that fall under the
concept of cyberwar between different countries [4]. An
example is provided by the geo-political Indo-Pakistani
tensions: hacktivists, or so-called state-sponsored hacktivists,
tend to deface any websites with poor security measures
regardless of the content, as long as the domain is Indian (for
Pakistani hacktivists) or Pakistani (for Indian hacktivists). In
2 Words in brackets are ours.
3 Zone-H Defacement Archive (hereafter Zone-H Archive) is a freely
available database that has recorded website defacements since 2001.
The database is open for general consultation at the URL For specifi c data, the company that manages
the database levies a service charge.
more spectacular operations, hacktivists attempt to target
government websites, aiming both to make a direct statement
against a government on its web page, and to shame it by
exposing its inability to keep its websites safe.
This paper will attempt to clarify what connections exist
between website defacement and hacktivism, answering the
following questions:
What is the link between hacktivism and website
What are the motivations and the modus operandi of
hacktivists that engage in website defacement?
To what extent does website defacement represent a
threat when linked to hacktivism?
The paper is structured in fi ve main parts: fi rst we will explain
what we mean by the terms ‘hacktivism’ and ‘website
defacement’, and how the two are connected. Then we will
describe, step by step, the methodology that has been used to
retrieve data and conduct the investigation. In the third part,
we will provide insights into the motivations that push
hackers in general and hacktivists in particular to engage in
website defacements. In the fourth section we analyse the
modus operandi and the tools used, and fi nally we draw some
Hacktivism is a complicated phenomenon and it can be
interpreted in different ways [6]. In this paper we borrow part
of the defi nitions provided by Milan ([6], p.550) and Denning
([7], p.241) and we describe it as the sum of ideologies,
individual and collective actions typical of traditional
activism, applied in cyberspace through the use of hacking
techniques, while addressing or exploiting network
infrastructure’s technical and ontological features, with the
nal goal of reaching a socio-political change in society.
Looking at the general history of hacktivism, we follow the
path of previous studies and research that mainly identify it as
the sum of group/team operations rather than of single
individuals’ actions [4, 6, 8]. This point is in line with the
traditional organizational structure of activism and it clarifi es
why, in our defi nition, we apply the concept of collective
action given by Melucci ([9], p.43), who describes it as ‘the
result of purposes, resources, and limits, as a purposive
orientation constructed by means of social relationships
within a system of opportunities and constraints’. The role
played by the group has an undeniably important part in
deciding the socio-political approach, the ideological beliefs,
the operational lines and the targets, but as Milan [10] points
out, the individual in hacktivism still has a fundamental
function because the ‘we’ essentially is the sum of the various
self-contained ‘I’s ([10], p.89). The person is still independent
in the group, likely as consequence of the fact that the
technical component (coding and hacking) is primarily based
on individual skills, and the tasks within the group are
assigned mainly considering the technical expertise of each
member ([6], p.556). This is a tendency that also seems to
exist among defacements performed in the name of
hacktivism; our interviewees confi rmed that the operations
per se are likely the result of team work, but that every
member has a specifi c role, a tailored task and a certain
number of domains to target.
The defi nition of website defacement is less debatable than
that of hacktivism, nevertheless there is still some uncertainty,
prompting us to provide our view: for website defacement we
mean the act of disfi guring without authorization a location
on the Internet. On the one hand, we embrace the defi nition
given by Samuel ([4]:8) as an attack on a website that
changes the visual appearance of the whole site or of one or
more web pages; on the other hand, since we deliberately use
the word location in our defi nition, we enlarge the concept
not only to the disfi gurement of a traditional HTML page, but
also to unauthorized changes on social network accounts such
as Facebook or Twitter (as happened during the ‘Netherlands
Operation’). We do understand that the techniques used differ
broadly and that website defacements are more interesting
from a technical perspective. We also had to take into account
the fact that our interviewees and Zone-H Archive do not deal
with attacks on social networks. For these reasons, our
analysis will focus only on HTML defacements, but we think
that it would be useful to widen the scope of the defi nition for
future research activities.
The scientifi c literature on website defacements is scarcer
than we had expected when we started to draft this paper, and
the availability of literature dealing with defacements and
hacktivism is even poorer. Therefore we investigated the
topic, looking for previous works on hackers in general, on
hacktivism in particular, and on how website defacements are
conducted and what consequences they bring. We combined
the literature with some interviews and an analysis of the
Zone-H Archive. The research produced the results we will
present in this paper and gave us enough room to formulate
explorative questions and possible answers. The fi ndings
presented in this paper are based on qualitative and
quantitative analysis.
For the qualitative part, we tried to get in contact with
hacktivists that had been particularly active in defacing
websites during the last year (January – December 2016). In
order to fi nd out who the groups or single hacktivists were,
we checked the Zone-H Archive. Zone-H provides a database
that has been recording website defacements since 2001,
registering for every attack some specifi c characteristics:
targeted domain; attack date; attack time; attacker’s
nickname; operating system of the attacked website; web
server of the attacked website; attack methodology; attack
typology; new attack/re-defacement; intrusion level
(homepage/subdir); status (verifi ed/to be verifi ed); single/
mass defacement; fl ag. The person who fi lls in the form is
also required to indicate the motivation that triggered the
defacement. Considering that our main topic for this research
is hacktivism, we decided to examine only the attacks
conducted for ‘political reasons’ and for ‘patriotism’ between
January 2016 and December 2016. We then fi ltered the
database selecting these two motivations and checked which
were the 25 most active groups or individuals. Next, we
looked for possible contacts in order to communicate with
them. We examined the mirror pages that had automatically
been saved by Zone-H, as we had noticed that many
hacktivists leave their signatures or even contacts such as
emails, websites or social network accounts on the defaced
pages. This turned out to be a good source of information. We
noticed that the individuals with a Twitter account were the
most interested in starting a discussion with us. As often
happens with people who engage in illegal activities (website
defacement violates several laws in different countries), only
ve out of the 25 individuals we tried to contact agreed to
answer our questions. For the interviews we used two
- Structured interviews conducted using a close
questionnaire consisting of 15 questions that addressed
hacktivism in general and website defacement in
particular; the questionnaire was sent to those groups or
individuals that only provided an email address as a form
of contact.
- Semi-structured interviews for those that were reachable
with synchronous tools (chat, instant messenger in
Twitter, Facebook, ICQ); this form of communication
seems better adapted to these conversations and gave us
more opportunities to direct the discussion and the
focus towards interesting topics or information that
came up during the talk. Moreover, it gave us time to
read the answers and ask for another chat with new
questions based on the answers from the previous
The quantitative analysis was conducted focusing on the data
of Zone-H Archive for the period January 2016 – December
2016, but to have a clear overview of defacements in general
we will provide some data that dates back to January 2010. To
our knowledge, Zone-H Archive is the only available database
that has been recording website defacements. From 2010 to
2016 there were more than 7 million recorded attacks. We
noticed that the motivations provided by the individuals are
not always reliable (this has been confi rmed by the company
that manages the archive), but with the right corrections, we
tried to provide a good insight both into this particular
technique and into how it is linked to hacktivism. It is not
possible to state whether a defacer has actually been
motivated to act for political reasons or patriotism, but
skimming through dozens of mirror sites, we have noticed
that the motivation usually corresponds to that provided in
Zone-H Archive.
In order to better understand hacktivism and the potential
threat it represents, this section offers an overview of the most
Figure 1: Total number of website defacements and division by single category in the period 2010-2016.
(Source: Zone-H Archive.)
2010 2011 2012 2013 2014 2015 2016
Total number of
defacements 1,418,687 1,608,893 1,192,291 1,391,457 1,150,449 1,010,478 888,064
Heh…just for fun 829,429
I just want to be the best
Not available 94,028
Patriotism 59,009
Political reasons 57,081
Revenge against that
As a challenge 44,454
Table 1: Total number of website defacements (and percentages), and their division by single category in the period 2010-2016.
(Source: Zone-H Archive.)
common motivations stated by hacktivists when defacing a
website. Although hacktivists are by defi nition driven
primarily by achieving socio-political change [4, 6, 8], their
behaviours and reasons for engaging in hacking cannot
completely be explained just by these kinds of motivations.
Many of the websites they deface do not have any
connections with the socio-political change they seem to be
seeking [11] and, as suggested by Denning [7], there are more
effective ways to reach it. According to Samuel [4],
hacktivists often choose a political agenda after they have
already decided to become politically active. These factors
suggest that there have to be other, secondary circumstances
that drive hacktivists to deface websites. Considering the
existing literature, motivations can roughly be divided into
two categories, namely socio-political and personal.
As shown in Figure 1 and Table 1, website defacements
registered a general decrease in the period 2010-2016: the
peak was reached in 2011 (1,608,893), while the total number
dropped to 888,064 (almost half) in 2016. Zone-H Archive
allows attackers to explain (in broad categories) why they
conducted the defacements. ‘Fun’ has been by far the most
common reason, followed at a considerable distance by the
goal of being the ‘best defacer’. Defacing websites for fun
decreased by almost 300,000 attacks, but it is relevant to note
that since 2012 its percentage of the total annual number of
attacks has continued to grow. We do not know who really is
behind these defacements, but based on general knowledge,
such a motivation seems more in line with the behaviour of a
script kiddie than with that of a grown-up hacker.
Nevertheless, we have to be careful in drawing fast
conclusions, as ‘fun’ can have different meanings in relation
to the person who has fun: it might be that a script kiddie
defaces for fun because he/she feels a thrill, but it might also
be that a skilled hacker fi nds it ‘fun’ (meant in this case as
challenging) to deface websites, providing a different
interpretation of the concept.
The signifi cant decline in defacements can have at least three
different explanations: the fi rst may be practical, since defacers
might not be interested in reporting their actions to Zone-H
anymore. Nevertheless, we believe this to be the least plausible
option, as generally speaking the people involved in these kinds
of activities seem to like or even seek a certain level of
attention [12], and therefore reporting the attack to Zone-H
would be one of the best chances for them to gain visibility.
The second explanation is linked to cybersecurity: it might be
that many websites have signifi cantly improved the security of
their web pages and therefore the hack requires more effort and
time compared to some years ago (this explanation seems more
acceptable, but as the ‘Netherlands Operation’ proved, many
vulnerabilities remain unpatched and can easily be exploited
[2]. Finally, hackers may fi nd website defacements less
interesting than in the past and prefer to spend energy and
resources on more sophisticated and technically advanced
operations, that would likely also give higher rewards (for
instance more information on the target, more
acknowledgement in the hacking scene, and so on).
Table 2 and Figure 2 focus on the connections between
defacements and hacktivism and its socio-political sphere; the
trend observed in the options analysed (political reasons and
patriotism) has remained quite stable in the last six years:
patriotism covers 4.45% (steadily growing since 2013), while
2010 2011 2012 2013 2014 2015 2016 Total 2010-2016
Total 1,418,687 1,608,902 1,192,300 1,391,467 1,150,453 1,010,478 888,064 8,660,351
Patriotism 59,009
Political 57,081
Political &
Table 2: Number of website defacements conducted for ‘patriotism’ and ‘political reasons’ divided by year and in total, in the
period 2010-2016. (Source: Zone-H Archive.)
Figure 2: Number of website defacements conducted for ‘patriotism’ and ‘political reasons’ divided by year and in total, in
the period 2010-2016. (Source: Zone-H Archive.)
*These values have been corrected after the publication of the paper, but they
did not affect the final results. In fact the mistake was only present in the sum
shown in Table 2, while the data analysis and the other tables were done with
the correct data.
defacements conducted for political reason reach an overall
percentage of 4.98.
We do not know if there is a connection, but during what
looked like the peak of Anonymous’ operations in 2011-2012,
Zone-H registered the highest number of attacks (especially
for political reasons). This does not mean that Anonymous’
members were more active in defacing websites, but it might
suggest that the general atmosphere of that period could have
encouraged other hackers to engage in these activities.
Figure 3 shows instead the general overview when comparing
the complete set of data on website defacements to those
carried out for reasons linked to hacktivism. As we noted
above, the trend of defacements conducted for patriotism and
political reasons is in countertendency compared to the
general leaning that registers a net reduction.
Socio-political motivations
As shown in Figure 1, socio-political motivations represent
the main trigger for hacktivists, but it should be noted that
they embrace many issues. From the mid-1990s hacktivists
have defaced websites to promote goals or draw attention to a
wide variety of issues [4]; these are in line with the typical
values held by the traditional activist movements that have
appeared on the international scene since the late 1970s and
that have been identifi ed with the ‘New social movements’, as
theorized by Melucci [9]. To name a few, they have engaged
in: anti- or alternative globalization protests against
corporations, protests in support of human rights and of the
environment, actions to criticize domestic or international
politics of a certain state [4, 13], anti-war statements, and
even revenge. The scope of their operations is clearly broad.
Examples of the last two can be found during the Kosovo
confl ict in 1998-1999: many hacktivists engaged in DDoS
attacks, defacements and website hijacking to protest against
the war and the countries involved in it. Chinese hacktivists
specifi cally targeted several American government websites
to show their disapproval and condemnation after the US Air
Force had erroneously bombed their embassy in Belgrade [5].
While the political sphere has quite a broad spectrum, the
defacements conducted for patriotism are more specifi c and
seem mainly to be related to regional or international
confl icts. As noted by Samuel [4], international geo-political
tensions and confl icts can easily develop into attacks within
cyberspace. Some authors tend to speak in this case of
cyberwar [7], but we feel more confi dent in using the terms
‘cyber skirmish’ or ‘cyber guerrilla’. The Kosovo confl ict is
again a good example of how patriotism is connected to
defacements. Indeed during the fi ght, two factions confronted
each other: many hacktivists/hackers defaced websites,
leaving messages that praise a ‘Free Kosovo’; at the same
time, nationalistic Serbian hacktivists/hackers like Serb Black
Hand engaged in heavier forms of cyber attacks, even
targeting NATO’s computer networks [7].
Another relevant example is provided by the continuing
geo-political tensions between India and Pakistan: both
Samuel [4] and Kovacs [14] have examined the skirmishes
among Indian and Pakistani hacktivists related to the ongoing
Kashmir confl ict [4, 14]. A analysis of the Zone-H Archive
data has shown that the two factions, which apparently
involve dozens of hacktivists, have engaged in the
defacements of opposite domains: Pakistani hacktivists deface
Indian websites and Indian hacktivists attack Pakistani web
pages. The history of hacktivism is full of similar examples
[15]: recently we have witnessed an escalation in defacements
that support the Islamic State of Iraq and Syria (ISIS) [16]
and others focused on the Israeli-Palestinian confl ict [13, 17,
18]. In one interview with a member of Tunisian Fallaga
Team (one of the most active hacktivists groups based on
Zone-H’s data), we asked how he would defi ne his hacking
activity and if it could be described as hacktivism. He replied
saying that he ‘loves’ calling it hacktivism and that his
message is always about a free Palestine and about all the
innocent people killed around the world, with particular focus
on Muslims [19].
Denning ([7], p.272) shows that patriotism can also be
motivated by causes that do not relate directly to international
confl ict, but are instead connected to internal struggles. An
example is the defacement of 40 Indonesian websites in
September 1998 which displayed the slogan ‘Free East
Timor’ in large black letters and contained links to other
websites describing Indonesian human rights abuses in the
former Portuguese colony.
Figure 3: Comparison among total defacements (grey area right axis) and defacements conducted for political reasons/patriotism
(left axis), in the period 2010-2016. (Source: Zone-H Archive.)
As shown in Table 1, 869,874 websites were defaced for
reasons of patriotism between 2010 and 2016. Considering
that this motivation is more specifi c than the general socio-
political one, it is possible to conclude that patriotism is the
primary cause of website defacements among hacktivists.
When speaking of patriotic hacktivism, it is always necessary
to be careful and to distinguish it from state-sponsored
hacktivism: in the latter case, hacktivists are encouraged or
even supported by a state to engage in cyberattacks or cyber
protests, while in the former the motivations belong only to
the hacktivists. The problem with state-sponsored hacktivism
is that it is impossible to distinguish from traditional patriotic
Hacker ideology
Other issues that seem to motivate hacktivists when defacing
websites are those related to typical hacker values and
ideologies. Levy [20] provides a great insight into these
principles, tracing them back to what he calls ‘The Hacker
Ethic’. According to Levy there are fi ve main principles that a
hacker should pursue:
Promote the freedom of information
Mistrust the authority and promote decentralization
Judge a hacker by his/her hacking skills and not by
criteria such as degrees, age, race, or position
Create (if possible) art and beauty on a computer
Use computers to improve the quality of life.
The fi rst two points in particular have often played an
important role in hacktivists’ ideology, as is also supported by
the research conducted by Coleman [21] into the well-known
hacktivist group Anonymous. An example of this typology is
the defacement of almost 500 Chinese websites carried out by
Anonymous [22] in reaction to censorship by the Chinese
government. On the defaced pages they wrote ‘Chinese
People, your government controls the Internet in your country
and strives to fi lter what it considers a threat for it. Be careful.
Use VPN for your own security. Or Tor.’
Psychological/personal motivations
To better understand the behaviour of hacktivists and their
personal/psychological motivations it is important to realize
that the majority of them choose to engage in hacktivism after
they have already decided to become hackers [4], usually
having the typical background and principles of the hacking
subculture [8]. Nevertheless, there are also some opposite
examples, as explained by Olson [23] and by one of our
interviewees: in these cases the personal motivations come
rst, and later on the individual engages in a (usually)
self-taught process to acquire hacking skills. While some
hacktivists affi rmed that they discovered the hacking world
through forums and through a trial-and-error process, a more
experienced hacktivist has clearly stated that he usually
teaches hacking techniques to the new members of his
team [24].
When diving into the world of hacking it becomes clear that
the intellectual challenge of tinkering with computers lies at
its core. Linus Torvalds, a well-known hacker and inventor of
the Linux operating system, clarifi es that for hackers the
‘computer itself is entertainment’ [25]. Levy [20] defi nes a
hack as an act that demonstrates ‘innovation, style and
technical virtuosity’, and describes hackers as ‘adventurers,
visionaries, risk-takers, artists’. Research on the motivations
for engaging in hacking was conducted by Jordan and Taylor
[26], who found out that hackers are encouraged by several
different drivers: compulsion to hack, curiosity, attraction to
power, peer recognition, and the feeling of belonging to a
group. They basically confi rmed a previous study conducted
by Chantler [27] who constructed a list of 13 common
characteristics after studying hackers for over six years. He
concluded that hackers:
• Are loners
Have poor social skills
Have low self-esteem
Are intelligent, able to focus for extended periods
• Are young
Are explorers, investigators, curious, analytical
Have a strong desire to succeed
Are obsessive, even addicted to computers
Have poor communication skills
Have lots of acquaintances which they never meet
Enjoy a hierarchy amongst peers
Exchange knowledge and information amongst
Respect each other, are popular with peers, subordinates
and superiors
Are secretly admired by the public.
Not all of these characteristics must necessarily be met in
every hacktivist, but certainly some of them are clearly part of
their personalities. For instance, the core group of hacktivists
who were behind Anonymous and LulzSec [21, 23, 28] refl ect
many (but not all) of the features described by Chantler [27]:
some of them were loners with poor social skills, young and
generally intelligent, addicted to computers and eager to
increase their knowledge in different fi elds [23]. Barber [11]
argues that hacktivists ‘see the [I]nternet as their channel to
reach as many viewers as possible with their message.’ We
should not forget, as Denning [7] pointed out, that many
hacks are carried out for the thrill or simply because ‘it was
possible’. This was the case, for instance, with the Milw0rm
group that attacked the website of India’s Bhabha Atomic
Research Center (BARC) in 1998, to promote an anti-nuclear
and peaceful agenda, but also because it was purely thrilling
[7]. This was confi rmed by one of the hacktivists we
interviewed who hacks for political motivation, but also
enjoys the feeling given by the action itself [24].
Hacker Taggers
Hackers who engage in website defacements have some
specifi c characteristics that make them slightly different from
the others. In a study conducted by Woo, Kim and Dominick
[29], 462 defaced websites were analysed. The research
confi rmed that hackers may have different motivations for
engaging in defacements, the most common being
psychological and political. Woo et al. indicate that hackers
often leave taunts, greetings or calling cards behind. They
also suggest that the websites disfi gured by hacktivists
contain more aggressive expressions than those defaced by
people who have fun or self-aggrandizement as primary
motivation. Besides, this they also argue that some hackers
deface websites for the sense of personal achievement, in line
with some of the characteristics described by Chantler [27].
From our analysis we can confi rm these tendencies and add
that hacktivists tend to post longer messages in which they
explain the reason for the defacement.
Warren and Leitch [12] investigated a group they called
‘Hacker Taggers’, and argue that these hackers deface
websites with the sole intent of leaving a ‘tag’ behind. After
examining data from the Zone-H Archive and analysing a
number of case studies, the two researchers suggested an
initial profi le for this sub-group. They confi rmed some of the
characteristics identifi ed by Chantler [27], such as the strong
desire to succeed and the importance given to the exchange of
information with each other. The two researchers depicted
four other main elements: high competitiveness; the desire to
cause minimal damage or no damage at all to the targeted
websites; the reliance upon media reports to cause political
damage or embarrassment; and fi nally the action as an
individual or in a team.
This profi ling suggests that succeeding and establishing a
reputation as a hacker play an important role in the motivation
of those who deface websites. Samuel describes website
defacement as ‘a way of demonstrating technical prowess and
establishing a reputation as a hacker’ [4]. Because the
techniques used do not require particularly advanced hacking
skills, it might be that website defacements are used as fi rst
step towards more complicated operations by those hackers
who have just entered the fi eld.
In a very recent study, Madarie [30] attempted to quantify the
motivations of hackers in general, using Swartz’s theory of
motivational types of values. She found out that intellectual
challenge and curiosity were the most important motivators
for hacking into systems. She also tried to confi rm the
hypothesis that hacktivists place high value on self-
transcendence qualities, which include tolerance, social
justice, equality and responsibility. However, she was not able
to confi rm this hypothesis and concluded that hacktivists were
more motivated by achievement and hedonistic value types.
(It should be noted that Madarie herself stated that her sample
of hacktivists was quite small and that further research is
We discussed these points during our interviews with two
hacktivists. The member of the group Tunisian Fallaga Team
made clear that his main motivation for defacing websites
was simply political. When we asked if any money was
involved in his activities, he strongly denied it. We probed
further into his personal motivations and asked how he
perceives the attention his attacks receive from the media. He
replied that any media attention is good, because his message
is read and spread among many people, and added that he has
a personal good feeling when he hacks. His words confi rm
once again the importance that hacktivists place on visibility,
and the positive feeling they get when involved in hacking.
Furthermore, he noted that too often he and his group are
identifi ed as terrorist ‘ISIS hackers’; he totally refuses this
label. The personal motivations also emerged in an interview
conducted with the spokesperson of Skynet Central, a group
of hacktivists active in limiting and possibly annihilating
online and offl ine terrorism. The interviewee said: ‘Every
time I take down a target I feel more proud than I could
describe and I feel like I prevent many crimes in the future,
adding: ‘it [is] something personal, the war between Skynet
and ISIS.’ He concluded: ‘[Hacking is] a hobby, I enjoy [it],
but [I am] directing my skills against evil’ [24].
In this section we will focus on the capabilities and the modus
operandi of hacktivists when defacing websites. First we will
describe what usually triggers them to hack. Subsequently we
will analyse their usual attack vectors and fi nally we will give
an overview of the most commonly used tools.
In order to determine if a specifi c website is likely to be
targeted by hacktivists it seems necessary to describe how
they choose their targets. According to Hald and Pedersen
[31], hacktivists deface websites that are perceived to be an
insult to their ideology. These may be web pages that belong
to organizations or companies that take a stance against a
certain cause, or they may be all websites in a specifi c
country or with a specifi c domain. An example is the above-
mentioned case of Anonymous that explicitly targeted
Chinese websites in order to spread awareness of Internet
censorship [22], while other episodes have been analysed by
Kaplan [17] and Kovac [14]. An interviewed member of
Tunisian Fallaga Team [19] explained that he tries to target
specifi c websites that have a link with a country he considers
a corrupted entity. However, as noted earlier, when hacktivists
engage in defacements they also ‘select apparently unrelated
sites designed simply to get the message to the maximum
number of eyeballs in the shortest possible time’ [11].
The selection of unrelated sites is not completely
unsystematic: the literature on the subject (validated by our
interviews) suggests that these random attacks are connected
to the use of specifi c tools, which identify websites that
present particular vulnerabilities [32]. A recent example that
clarifi es this chain of action was the severe but easily
exploitable [33] vulnerability discovered in the REST-API of
the popular WordPress CMS [34]. The websites containing
this vulnerability were most likely found using Google dorks,
which are often exploited by defacers [35]. After the
disclosure of this weakness in the system, several well-known
defacers (hacktivists as well as non-hacktivists) defaced a
large number of websites [33, 34].
Attack methods
Since many hacktivists choose targets based on their
vulnerabilities, it is to be expected, as supported by previous
studies [31, 32], that the vulnerabilities they exploit are often
known and quite unsophisticated, usually present in the
arsenal of automatic scanning tools. An analysis of the data
from the Zone-H Archive provides great insight into which
vulnerabilities are normally exploited. When analysing the
defacements motivated by political reasons and patriotism
between January 2010 and December 2016, the most common
form of attack (18%) used to access a web page is the
exploitation of an SQL injection vulnerability. In 27% of the
cases a non-specifi ed web application bug was exploited. In
18% of the cases another kind of method was used to deface
the websites. In 7% of the cases a brute force attack was used
to gain access to the web server. In around 6% of the cases a
le inclusion vulnerability was used to deface the websites.
Other methods employed are: other known vulnerabilities
(6.32%), URL poisoning (3.76%), FTP server intrusion
(3.11%), social engineering (3%), shares misconfi guration
(2.38%), SSH server intrusion (2.18%), mail server intrusion
(1.15%), DNS attacks (0.6%), and man-in-the-middle (MitM)
attacks (0.3%).
Method Percentage
Other non-specifi ed web application bugs 27.22%
SQL injection 18.00%
Other methods 18.00%
Brute force attacks 7.00%
File inclusion 6.39%
Known vulnerabilities 6.32%
URL poisoning 3.76%
FTP server intrusion 3.11%
Social engineering 3.00%
Shares misconfi guration 2.38%
SSH server intrusion 2.18%
Mail server intrusion 1.15%
DNS attacks 0.60%
Man in the middle attacks 0.30%
Table 3: Percentage of the methods of attack used to deface
websites in the category ‘patriotism’ and ‘political reasons’ in
the period 2010-2016. (Source: Zone-H Archive.)
Mass defacements
In the case of mass defacements, a vast number of websites
are defaced in a very short time. The hacktivists behind these
attacks use automated scanning and exploitation tools to
automatically exploit known backdoors in web applications
[35, 36]. Just as with single defacements, specifi cally crafted
Google dorks can be used to select the targets [35]. The
exploits used in these attacks can be purchased on online
black markets. In some cases the exploits send a request to
report successful defacements automatically to the Zone-H
Archive [35]. From the analysis of the most active defacers,
we can confi rm that this method is widely employed and
seems to a have high rate of success.
As there have been few scientifi c studies specifi cally
investigating the tools hacktivists use when defacing a
website, reviewing the existing literature did not provide us
with a lot of insights. Some security fi rms, however, have
conducted preliminary technical analysis of hacktivists’
attacks. Fox-IT [2], for instance, has investigated the earlier
mentioned attacks (‘Netherlands Operation’). The
investigation shows that during the operation a (basic)
identifi cation tool, written in .NET, was used to locate Dutch
and German websites which were running a vulnerable
WordPress version using Google dorks. The fact that
hacktivists create their own tools or scripts is in line with the
answers given by the member of the Tunisian Fallaga Team
[19], who confi rmed that he creates his own scripts in order to
(automatically) deface a website. In addition to the creation of
their own tools, they also frequently use publicly available
vulnerability scanners, such as Acunetix or Havij [36, 37], as
again confi rmed in our interviews. Some hacktivists prefer to
completely automate the defacement process: in this case they
use tools which automatically fi nd a vulnerable website and
operate an exploit which uses a known vulnerability [35].
These tools include LFI intruder, SCT SQL SCANNER and
Priv8 RFI SCANNER v3.0 [35].
In general, a web page defaced by a hacktivist or a hacktivist
group will display a socio-political message related to the
specifi c motivation behind the attack. In Figure 4 we provide
a good example of this trend, showing the defaced website that was attacked by members of the
Tunisian Fallaga Team. It is clear from the text on the page
that the Tunisian Fallaga Team attempts to raise awareness of
confl icts where Muslims are involved. The hacktivists
submitted the defaced page to Zone-H, giving patriotism as
main reason for the attack.
It should be noted that the given reasons in the Zone-H
Archive are not always in line with the message or contents of
the defaced page. In some cases we did not fi nd any specifi c
message, but a simple tag (for instance ‘hacked by…’), as had
been suggested by Warren and Leitch [12]. In other cases,
especially for patriotism, hacktivists left behind the fl ag of a
certain country with some background music. In other cases
the defaced page does not promote any message, but
distributes a piece of malware.
To sum up, website defacement still represents one of the
main tools used by hacktivists to promote a socio-political
message. There are plenty of methods that an individual can
use to deface a website, and generally speaking they are not
as complicated as other forms of hacking. This means that
many people, especially young hackers who have just taken
their fi rst steps into the world of hacktivism, can easily
engage in actions in order to test their skills, gain visibility
and help in promoting a certain cause. We have seen that even
if the technique is 20 years old, it has not really lost its appeal
among hacktivists (at least when we analyse the trends of the
last six years). We have explained that hacktivists are
triggered by socio-political motivations and by patriotism
(which actually represents the primary motivation for
defacing). Hacktivism and defacements seem to be linked to
regional and international geo-political tensions, as shown in
several cases (the Israeli-Palestinian confl ict and Indian-
Pakistani tensions).
Finally, considering that to calculate a threat it is necessary to
know the intent of the individual (motivations of hacktivists)
and the capabilities (modus operandi and tools used by
hacktivists), we can conclude that hacktivism when connected
to website defacements does not represent a huge threat. This
point needs clarifi cation: it is not a huge threat for all those
companies, public organizations and governments that apply
standard levels of cybersecurity within their computer
networks. Even in the case of a defacement, the costs to
Figure 4: Homepage of the website defaced by member of Tunisian Fallaga Team.
restore the web pages would not be too signifi cant for a big
corporation, but it should warn about other possible
vulnerabilities present in the system.
The situation is different for small companies or personal
websites that do not apply good security measures or are not
updated. We can conclude that these seem to be the most
common targets because they are easier to reach and deface.
Therefore, for these, website defacements still represent a
relevant threat.
[1] Pieters, J. (2017, March 14). Turkish hacker groups
focus cyberattacks on Dutch websites, incl. NL
Times. NL Times.
[2] Fox-IT. (2017). Turkish hacktivism activity.
20170323_turkish_hacktivism_writeup_public_fi nal.
[3] Kharpal, A. (2017, March 15). Hundreds of Twitter
accounts including Bieber and Forbes hacked, calling
Germany, Netherlands ‘Nazi’. CNBC.
[4] Samuel, A. W. (2004). Hacktivism and the future of
political participation. Ph.D. in Political Science,
department of Government, Harvard University,
Cambridge, Massachusetts.
[5] Denning, D. E. (2015). The Rise of Hacktivism,
Georgetown Journal of International Affairs,
September 8, 2015.
[6] Milan, S. (2015). Hacktivism as a radical media
practice. In Atton, C. (ed.) The Routledge
Companion to Alternative and Community Media.
New York: Routledge, 550-560.
[7] Denning, D. E. (2001). Activism, Hacktivism, and
Cyberterrorism: The Internet as a Tool for Infl uencing
Foreign Policy. In Arquilla, J.; Ronfeldt, D. (eds.)
Networks and Netwars: The Future of Terror, Crime,
and Militancy. Santa Monica: RAND, 239-288.
[8] Jordan, T.; Taylor, P. (2004). Hacktivism and
Cyberwars: Rebels with a cause. London: Routledge
[9] Melucci, A. (1995). The Process of Collective Identity.
Temple University Press. In Johnston, H.;
Klandermans, B. (eds.) Social Movements and Culture.
Minneapolis: University of Minnesota Press, 41-63.
[10] Milan, S. (2013). Social Movements and Their
Technologies. Wiring Social Change. Palgrave
MacMillan: London.
[11] Barber, R. (2001). Hackers profi led – Who are they
and what are their motivations? Computer Fraud &
Security, 2001(1), 14-17.
[12] Warren, M.; Leitch, S. (2010). Hacker taggers: A
new type of hackers. Information Systems Frontiers,
12 (4), 425-431.
[13] Karatzogianni, A. (2005). The politics of
cyberconfl ict: Ethnoreligious confl icts in computer
mediated environments. Ph.D. in Political Science,
Nottingham University, Nottingham.
[14] Kovacs, E. (2014, April 27). Cyber confl ict between
Indian and Pakistani hacktivists will not end any time
soon. Softpedia.
Cyber-Confl ict-Between-Indian-and-Pakistani-
[15] Caldwell, T. (2015). Hacktivism goes hardcore.
Network Security, 5, 12-17.
[16] Krebs, B. (2015, April 15). FBI Warns of Fake Govt
Sites, ISIS Defacements.
[17] Kaplan, D. (2009, January 5). Web defacements
escalate as Israel moves farther into Gaza.
[18] Winer, S. (2015, April 7). Annual cyber-attack on
Israel targets MK’s website. The Times of Israel.
[19] Tunisian Fallaga Team, (March, 2017). Interviewer:
Marco Romagna [email].
[20] Levy, S. (1984). Hackers: Heroes of the Computer
Revolution. New York: Doubleday.
[21] Coleman, G. (2014). Hacker, Hoaxer, Whistleblower,
Spy: The Many Faces of Anonymous. London and
New York: Verso.
[22] BBC (2012, April 5). Chinese websites ‘defaced in
Anonymous attack’. Retrieved from
[23] Olson, P. (2013). We Are Anonymous: Inside the
Hacker World of LulzSec, Anonymous, and the
Global Cyber Insurgency.
[24] Skynet Central, (December 2016 – May 2017).
Interviewer: Marco Romagna [Instant message via
[25] Himanen, P. (2001). The Hacker Ethic and the Spirit
of the Information Age. New York: Random House.
[26] Jordan, T.; Taylor, P. (1998). A sociology of hackers.
Sociological Review, 46 (4), 757-780.
[27] Chantler, N. (1995). Risk: The Profi le of the computer
hacker. Ph.D. thesis, Curtin Business School,
[28] Mansfi eld-Devine, S. (2011). Hacktivism: Assessing
the damage. Network Security, 8, 5-13.
[29] Woo, H.; Kim, Y.; Dominick, J. (2004). Hackers:
Militant or Merry Pranksters? A Content Analysis of
Deface Web Pages. Media Psychology, 6, 63-82.
[30] Madarie, R. (2017). Hackers’ Motivations: Testing
Schwartz’s Theory of Motivational Types of Values
in a Sample of Hackers. International Journal of
Cyber Criminology, 11(1), 78-97.
[31] Hald, S. L.; Pedersen, J. M. (2012). An Updated
Taxonomy for characterizing hackers according to
their threat properties. In Advanced Communication
Technology (ICACT), 2012 14th International
Conference on (pp. 81 - 86). IEEE Press.
(International Conference on Advanced
Communication Technology).
[32] Furnell, S. (2003) Cybercrime: Vandalizing the
information Society. In: Lovelle J.M.C.; Rodríguez
B.M.G.; Gayo J.E.L.; del Puerto Paule Ruiz M.;
Aguilar L.J. (eds) Web Engineering. ICWE 2003.
Lecture Notes in Computer Science, vol. 2722.
Berlin, Heidelberg: Springer.
[33] Montpas, A.M. (2017, February 1). Content Injection
Vulnerability in WordPress. https://blog.sucuri.
[34] Maunder, M. (2017, February 10). Rapid Growth in
Defacements, Who was Hit, Who is Attacking.
[35] Jacoby, D. (2010, July 21). Mass Defacements: the
tools and tricks.
[36] Carr, J. (2011). Inside Cyber Warfare: Mapping the
Cyber Underworld (2nd ed.). Sebastopol, CA:
O’Reilly Media.
[37] Imperva. (2012). Imperva’s Hacker Intelligence
Summary Report The Anatomy of an Anonymous
... Website defacement may be associated with website users or owners. Figure 2 shows the possible reasons for website defacement [1]. ...
... The data set was collected from [5,6], and SPSS statistics [7] were used to draw this pie chart to represent the countries that have the most defacement attacks. Generally, studies have found that in the last years, defacement attacks have reduced more than ever [1]. ...
... Based on research by Romagna and van den Hout [1], the most common type of attacks used to exploit web page vulnerability are web application bugs (27.22%) followed by SQL injections (18.00%). Other techniques used are man-in-the-middle (MitM) attacks (0.3%), DNS attacks (0.6%), mail server intrusion (1.15%), SSH server intrusion (2.18%), share misconfiguration (2.38%), social engineering (3%), FTP server intrusion (3.11%), URL poisoning (3.76%), and other known vulnerabilities (6.32%). ...
Full-text available
Web attacks and web defacement attacks are issues in the web security world. Recently, website defacement attacks have become the main security threats for many organizations and governments that provide web-based services. Website defacement attacks can cause huge financial and data losses that badly affect the users and website owners and can lead to political and economic problems. Several detection techniques and tools are used to detect and monitor website defacement attacks. However, some of the techniques can work on static web pages, dynamic web pages, or both, but need to focus on false alarms. Many techniques can detect web defacement. Some are based on available online tools and some on comparing and classification techniques; the evaluation criteria are based on detection accuracies with 100% standards and false alarms that cannot reach 1.5% (and never 2%); this paper presents a literature review of the previous works related to website defacement, comparing the works based on the accuracy results, the techniques used, as well as the most efficient techniques.
... The importance of social ties has also been observed among hackers engaged in website defacing, which is the vandalism of a webpage by changing its appearance and contents (Kilger, 2011). These type of hackers represent a diverse population who vary in motivations (Ooi et al., 2012;Romagna & van den Hout, 2017), ideological backgrounds (Holt et al., 2020(Holt et al., , 2021, and attack patterns (G. W. Burruss et al., 2021). ...
... W. Burruss et al., 2021). While hackers typically act in an elusive manner (Jordan & Taylor, 1998), those involved in website defacements are more overt in their activities and leave large amounts of data in their wake (Ooi et al., 2012;Romagna & van den Hout, 2017). In fact, many hackers collaborate and engage in defacement campaigns (i.e., vandalizing different webpages with the same defacement) (Maggi et al., 2018) and report their activities to publicly accessible defacement archives. ...
... Moreover, these hackers have also been observed boasting about their successful exploits and other related subject-matter over social media platforms (Aslan et al., 2020;Maimon et al., 2017). Although widely regarded as being an inherently social activity (Jordan & Taylor, 2004;Romagna & van den Hout, 2017), the group behavior associated with this form of digital vandalism remains a poorly understood topic. ...
Full-text available
Over the past four decades, research on hackers has widely propagated within the social sciences. Although this area of scholarship yields rich insight into the interpersonal dynamics of hackers, research on the unique ecosystems they create and inhabit is scant in comparison. The current study aims to offer a more complete assessment of hackers’ ecosystems by incorporating the group affiliations which link hackers to one another. Using 12 months of archived website defacement data containing individuals’ self-reported group affiliations alongside their hacking activities, the study reconstructs the social network of hacker groups over time. Findings reveal the illicit ecosystem to be loosely connected, yet densely clustered around a few central groups. The ecosystem also maintained its network features across the observation period with no sign of structural degradation. These findings corroborate extant research on the social environments of hackers, offer an innovative look into the illicit ecosystem of website defacers, and serve as a steppingstone to extend investigations of criminal behavior to the group-level.
... Cybersecurity and Infrastructure Security Agency (CISA) from the US government describe some of the typical signs of DDoS attacks, including unusually slow network performance, unusually slow speed of opening files and/or accessing websites, and unavailability of one or any website (CISA, 2022).DDoS attacks often result in access redistribution and website defacement and can be used as a measure for hacktivism(Romagna & van den Hout, 2017). Hacktivism refers to "the sum of ideologies, individual and collective actions typical of traditional activism, applied in cyberspace through the use of hacking techniques, while addressing or exploiting network infrastructure's technical and ontological features, with the final goal of reaching a socio-political change in society"(Denning, 2001;Milan, 2015; as cited inRomagna & van den Hout, 2017). ...
... Cybersecurity and Infrastructure Security Agency (CISA) from the US government describe some of the typical signs of DDoS attacks, including unusually slow network performance, unusually slow speed of opening files and/or accessing websites, and unavailability of one or any website (CISA, 2022).DDoS attacks often result in access redistribution and website defacement and can be used as a measure for hacktivism(Romagna & van den Hout, 2017). Hacktivism refers to "the sum of ideologies, individual and collective actions typical of traditional activism, applied in cyberspace through the use of hacking techniques, while addressing or exploiting network infrastructure's technical and ontological features, with the final goal of reaching a socio-political change in society"(Denning, 2001;Milan, 2015; as cited inRomagna & van den Hout, 2017). The British Broadcasting Corporation (BBC)'s main website ( experienced a DDoS attack in December 2015. ...
... One type of attacks linked with the low-level 'script kiddie' is web defacement [80]. It accounted for around 20% of online attacks [69] and is often organised into discrete campaigns [58]. ...
... Defacers have heterogeneous developmental trajectories [92]; they are often organised in groups [71] and have been using online archives [52] as a 'hall of fame' to show off their achievements to gain reputation. Defacements are mostly hobbies or pranks with greetings to peers [98], but some advertise tools or hacking services to make money, or express other motives such as a wish for community recognition, patriotic, religious and political views [6,80]. Defacement may cause economic harm [4,26] and has occasionally been used as a proxy for terrorist and other serious activities [38], yet it is in fact more akin to an online sport -like competitive graffiti tagging -than serious organised crime. ...
Full-text available
There has been substantial commentary on the role of cyberattacks, hacktivists, and the cybercrime underground in the Russia-Ukraine conflict. Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed 'hacktivists' linked to cybercrime groups is misleading. We collected 281K web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58K replies) of a volunteer hacking discussion group for two months before and four months after the invasion. To enrich our quantitative analysis, we conducted interviews with website defacers who were active in attacking sites in Russia and Ukraine during the period. Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the 'hacktivists' imagined in popular criminological accounts. Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within '.ru' and '.ua'. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative. The much-vaunted role of the 'IT Army of Ukraine' co-ordination group is mixed; the targets they promoted were seldom defaced although they were often subjected to DDoS attacks. Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks. Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further.
... When examining defacement motivated by politics and patriotism between January 2010 and December 2016, the exploitation of an SQL injection vulnerability was the most frequent method of attack (18%) utilized to access a website [17]. SQL injection is regarded as one of the most significant risks to both websites and databases since it allows an attacker access to the web and databases by injecting the database with a malicious SQL request to perform the attack. ...
Full-text available
In recent years, the number of people using the Internet has increased worldwide, and the use of web applications in many areas of daily life, such as education, healthcare, finance, and entertainment, has also increased. On the other hand, there has been an increase in the number of web application security issues that directly compromise the confidentiality, availability, and integrity of data. One of the most widespread web problems is defacement. In this research, we focus on the vulnerabilities detected on the websites previously exploited and distorted by attackers, and we show the vulnerabilities discovered by the most popular scanning tools, such as OWASP ZAP, Burp Suite, and Nikto, depending on the risk from the highest to the lowest. First, we scan 1000 URLs of defaced websites by using three web application assessment tools (OWASP ZAP, Burp Suite, and Nikto) to detect vulnerabilities which should be taken care of and avoided when building and structuring websites. Then, we compare these tools based on their performance, scanning time, the names and number of vulnerabilities, and the severity of their impact (high, medium, low). Our results show that Burp Suite Professional has the highest number of vulnerabilities, while Nikto has the highest scanning speed. Additionally, the OWASP ZAP tool is shown to have medium- and low-level alerts, but no high-level alerts. Moreover, we detail the best and worst uses of these tools. Furthermore, we discuss the concept of Domain Name System (DNS), how it can be attacked in the most common ways, such as poisoning, DDOS, and DOS, and link it to our topic on the basis of the importance of its infrastructure and how it can be the cause of hacking and distorting sites. Moreover, we introduce the tools used for DNS monitoring. Finally, we give recommendations about the importance of security in the community and for programmers and application developers. Some of them do not have enough knowledge about security, which allow vulnerabilities to occur.
... One of the most popular sources of secondary data on hacking is the Zone-H Defacement Archive 1 (see Romagna and Van den Hout, 2017). In Zone-H, alleged hackersor groups of hackers-self-report their defacement activity under a nickname, providing evidence via the URL of the defaced website and selecting from a drop-down menu the method of intrusion used and their motivation. ...
Cybercriminals are an elusive population to study. This makes social research with cybercriminals as valuable as it is scarce. To stimulate research on cybercriminals, it is important that researchers share their insights on successful and unsuccessful approaches, strategies, and techniques. This chapter collects our fieldwork experiences researching cybercriminals, potential cybercriminals, hackers, and hacktivists. After presenting the phases of our fieldwork, we outline six research techniques we have applied and discuss the ethical issues involved. We conclude with some lessons learned and methodological perspectives to guide future research.
... Menurut peneliti dari Hague University mengatakan bahwa serangan web defacement merupakan tindakan dari peretas yang melakukan perubahan tampilan halaman situs yang tidak semestinya [2]. Contoh server yang telah diretas dengan mengunggah sebuah berkas gambar sehingga tampilannya seperti pada Gambar 1. Hal ini disebabkan karena sebuah sistem yang telah dipublikasikan ke internet memiliki sebuah potensi untuk diserang oleh peretas [3]. ...
Full-text available
Peretas saat ini tidak hanya menyerang instansi pemerintah seperti pada tahun 2019 melainkan sudah melakukan serangan ke instansi pendidikan. Hal ini sesuai dengan pantauan dan identifikasi Badan Siber dan Sandi Negara bahwa instansi pendidikan telah diserang sebanyak 38% pada tahun 2020. Sebagai wujud tindakan preventif terkait dengan serangan siber pada instansi pendidikan perlu dilakukan sebuah tindakan analisis keamanan informasi terhadap sistem-sistem yang terpasang. Pada artikel ini diusulkan tahapan teknis melakukan analisis keamanan informasi menggunakan perangkat lunak dengan lisensi Free Open Source Software, yaitu Sudomy dan OWASP ZAP. Menggunakan kedua perangkat lunak tersebut didapatkan hasil analisis potensi-potensi celah keamanan pada sistem informasi yang terpasang pada Universitas Duta Bangsa.
Full-text available
Hacktivism is a rising phenomenon in the cyber landscape combining elements of the hacking subculture with ideologically motivated agendas inspired both by traditional activism and by new elements of the digital culture. Despite several studies on the topic, it is still not completely clear what motivates an individual to engage in this type of collective action and if the reasons can be compared to what is already known for more traditional forms of social protests. Taking a socio-psychological approach, this study uses the social identity model of collective action (SIMCA) as a theoretical lens to analyze hacktivists' motives and engagement process. The analysis is based on 28 semi-structured interviews, and it considers the four main elements of the model, naming: morality, social identity, perceived injustice and perceived efficacy. The violation of moral values seems to be the main trigger to participate in the action, while social identity plays an important role both as the second step in the engagement process and as a bridge with the other elements of the model. The results seem to be in line with what is already known for other forms of social protests, although some elements of the model provide new means of interpretation. ARTICLE HISTORY
Website attacks have been one of the main threats to websites and web portals of private and public organizations. In today's digital world web applications are an important part of day-to-day life so it has become a challenging task to secure the applications. The attackers aim to extract sensitive information about the users through the URL links sent to the victims. We are trying filling the gap of traditional methods to stop the attacks, but the traditional methods fail to perform well as the attackers are becoming good at attacking the web applications. People are presently searching for reliable and consistent web application attack detection software. This model aims to secure web applications of vulnerabilities and from different types of attacks using a machine learning approach which has more accuracy compared to other machine learning algorithms since we are using Random Forest Model.
The acts of hacktivists in today's modern world might have extremely negative repercussions for the order and peace of countries. Hacktivists, by the very nature of their methodology, invariably target important government installations. This research focuses mostly on investigating the myriad of approaches that may be taken to cyber-secure important national infrastructure against the maneuvers that can be carried out by hacktivists. Inferences are drawn in this study from hacktivism episodes that occurred in the past and were documented by a variety of sources, some of which may be verified. A four-point cyber security plan for important national infrastructure has been developed as a way to provide direction for the execution of cybersecurity measures by key state facilities. This scheme was inspired by the ideas presented previously. Keywords: Critical National Infrastructure, Security, Hacktivists, Cyberspace, Hacking, Cybercrime
Although much has been written on topic of hacker motivations, little empirical research has been conducted and even less research has attempted to quantify hackers' motivations. The present study analyses relationships between the frequency of several hacking behaviours and motivations to hack in a sample of male hackers and potential hackers. Motivations frequently recurring in the literature are assessed and Schwartz's (1992) Theory of Motivational Types of Values is applied. A preference for self-transcendence and openness to change values was found in the whole sample. Intellectual challenge and curiosity were rated as the most important motivators to circumvent security systems. However, correlation analyses signified the importance of aversion of conservation values. Hackers appear to be more motivated by what they dislike rather than by what they value. Future studies are needed to further examine the discrepancy between hackers' ranking of motivations and the relationship between motivations and hacking behaviours.
Now in paperback for the first time, Social Movements and their Technologies explores the interplay between social movements and their 'liberated technologies'. It analyzes the rise of low-power radio stations and radical internet projects ('emancipatory communication practices') as a political subject, focusing on the sociological and cultural processes at play. It provides an overview of the relationship between social movements and technology, and investigates what is behind the communication infrastructure that made possible the main protest events of the past fifteen years. In doing so, Stefania Milan illustrates how contemporary social movements organize in order to create autonomous alternatives to communication systems and networks, and how they contribute to change the way people communicate in daily life, as well as try to change communication policy from the grassroots. She situates these efforts in a historical context in order to show the origins of contemporary communication activism, and its linkages to media reform campaigns and policy advocacy. © Stefania Milan 2013. Foreword, DeeDee Halleck 2016. All rights reserved.
This thesis argues that it is important to distinguish between two different phenomena in cyberpolitical spaces: First of all, between ethnic or religious groups fighting over in cyberspace, as they do in real life (Ethnoreligious cyberconflict) and second, between a social movement and its antagonistic institution (Sociopolitical cyberconflict). These different kinds of cyberconflict can be explained in the context of international conflict analysis for ethnoreligious cyberconflict and social movement theory for sociopolitical cyberconflict, while keeping in mind that this takes place in a media environment by using media theory. By combining elements of these approaches and justifying the link to cyberconflict, it is possible to use them as a theoretical light to look at the environment of Cyberconflict (CC) and analysis of incidents of CC. Consequently, this work looks at the leading groups using the internet either as weapon or a resource against governments, while also looking at networks, international organisations and new social movements. Searching for a satisfactory theoretical framework, I propose the following parameters to be looked at while analysing cyberconflicts: 1. Environment of Conflict and Conflict Mapping (real and virtual). The world system generates an arborescent apparatus, which is haunted by lines of flight, emerging through underground networks connected horizontally and lacking a hierarchic centre (Deleuze and Guattari). The structure of the internet is ideal for network groups, (a global network with no central authority) has offered another experience of governance (no governance), time and space (compression), ideology (freedom of information and access to it), identity (multiplicity) and fundamentally an opposition to surveillance and control, boundaries and apparatuses. 2. Sociopolitical Cyberconflicts: The impact of ICTs on: a. Mobilising structures (network style of movements using the internet, participation, recruitment, tactics, goals), b. Framing Processes (issues, strategy, identity, the effect of the internet on these processes), c. Political opportunity structure (the internet as a component of this structure), d. hacktivism. 3. Ethnoreligious Cyberconflicts: a. Ethnic/religious affiliation, chauvinism, national identity, b. Discourses of inclusion and exclusion, c. Information warfare, the use of the internet as a weapon, propaganda and mobilisational resource d. Conflict resolution depends on legal, organisational framework, number of parties issues, distribution of power, values and beliefs. 4. The internet as a medium: a. Analysing discourses (representations of the world, constructions of social identities and social relations), b. Control of information, level of censorship, alternative sources, c. Wolsfeld: Political contest model among antagonists: the ability to initiate and control events, dominate political discourse, mobilise supporters, d. Media effects on policy (strategic, tactical, and representational).
As global society becomes more and more dependent, politically and economically, on the flow of information, the power of those who can disrupt and manipulate that flow also increases. In Hacktivism and Cyberwars Tim Jordan and Paul Taylor provide a detailed history of hacktivism's evolution from early hacking culture to its present day status as the radical face of online politics. They describe the ways in which hacktivism has re-appropriated hacking techniques to create an innovative new form of political protest. A full explanation is given of the different strands of hacktivism and the 'cyberwars' it has created, ranging from such avant garde groups as the Electronic Disturbance Theatre to more virtually focused groups labelled 'The Digitally Correct'. The full social and historical context of hacktivism is portrayed to take into account its position in terms of new social movements, direct action and its contribution to the globalization debate. This book provides an important corrective flip-side to mainstream accounts of E-commerce and broadens the conceptualization of the internet to take into full account the other side of the digital divide.
Using news reports of incidents and events, this work demonstrates how the Internet is altering the landscape of political discourse and advocacy. Three broad classes of activity are considered: activism; hacktivism; and cyberterrorism. It is shown that the Internet can be an effective tool for activism. With respect to hacktivism and cyberterrorism, those who engage in such activity are less likely to accomplish their foreign policy objectives than those who do not employ disruptive and destructive techniques.
Hacktivism is no longer driven by well-meaning amateurs or bored teenagers, if it ever was. The nature of hacktivism is changing and cause-based activism typified by the Anonymous collective is being replaced by heavy-duty, politicised attacks by the likes of the Syrian Electronic Army and ISIS - or even attacks carried out by nation states. Hacktivism intended for social and political protest can have unintended (or intended!) impacts on organisations of all sizes caught in the cyber crossfire.
Conference Paper
The objective of this paper is to give an up-to-date terminology for and categorization of hackers on the Internet, and to characterize each category of hackers by their threat properties. To be able to prioritize defense efforts, security experts need an accurate taxonomy of attackers for the production of detailed and precise threat assessments. We take an existing taxonomy for hackers and update it to correspond to the terminology used by hackers and security experts. Also, the categories of hackers are updated to reflect the threat properties demonstrated in recent attacks, and each category is described in terms of motivations, capabilities, triggers, methods, and trends. The result is a current and detailed taxonomy usable in planning of digital defense efforts as well as in forensics after an attack has occurred.
A great many people see all hackers as immature, spotty teenagers with good computer skills and no regard for the damage they do when they hack systems. The truth is very different. The hacker community as a whole is a very broad church. This article will aim to define a number of different groups of hackers, analyse their motivations and look at the sort of threats they pose to businesses.