Thousands of Israeli sites defaced with code seeking permission to access users' webcams

The hacks have been linked back to a local Israeli WordPress hosting provider.
Written by Catalin Cimpanu, Contributor

Thousands of Israeli websites have been defaced earlier today to show an anti-Israeli message and with malicious code seeking permission to access visitors' webcams.

More than 2,000 websites are believed to have been defaced. Most of the websites were hosted on uPress, a local Israeli WordPress hosting service.

In a message posted on Facebook, the company said the hackers exploited a vulnerability in a WordPress plugin to plant the defacement message on Israeli sites hosted on its platform.

The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. Efforts are currently underway to restore all affected sites.

The attack was carried out by a new hacker group going by the name of "Hackers of Savior." According to a Facebook group, the hacker group is believed to have nine members, all from Muslim countries, such as Turkey, Palestine, Morocco, and Egypt.

The attacks have been timed to take place on "Jerusalem Day," an Israeli national holiday commemorating the reunification of the city of Jerusalem and the establishment of Israeli control over the Jerusalem Old City in 1967.

On all websites, hackers loaded a YouTube video along with the message of "The countdown of Israel destruction has begun since a long time ago" [see video here].

Image: ZDNet

The site also loaded a script that requested access to users' webcams. Omri Segev Moyal, CEO of cyber-security firm Profero, told ZDNet that two versions of this script were delivered, with a second containing code that tried to take a photo of the user and upload it to a remote server.

Image: ZDNet

The Israeli National Cyber-Directorate (INCD), the country's cyber-security agency, warned users against interacting with any of the hacked websites.

Most of the websites have been taken down, but a few are still available online, most likely still cached by CDN providers.

Israeli news media is reporting that the attack has been carried out by "Iranian hackers," but multiple sources have told ZDNet there is no evidence of the Iranian government's involvement.

Last month, the Israel government told water treatment companies to change passwords after hackers tried to access water supply and treatment systems. This attack, too, was blamed on Iran, using non-public sources, and against the general opinion of the Israeli cyber-security community.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards