Thousands of Israeli websites have been defaced earlier today to show an anti-Israeli message and with malicious code seeking permission to access visitors’ webcams.
More than 2,000 websites are believed to have been defaced. Most of the websites were hosted on uPress, a local Israeli WordPress hosting service.
In a message posted on Facebook, the company said the hackers exploited a vulnerability in a WordPress plugin to plant the defacement message on Israeli sites hosted on its platform.
The company said it was working with Israeli authorities to investigate the hack. uPress also took down all defaced websites and pulled the file hackers were exploiting. Efforts are currently underway to restore all affected sites.
The attack was carried out by a new hacker group going by the name of “Hackers of Savior.” According to a Facebook group, the hacker group is believed to have nine members, all from Muslim countries, such as Turkey, Palestine, Morocco, and Egypt.
The attacks have been timed to take place on “Jerusalem Day,” an Israeli national holiday commemorating the reunification of the city of Jerusalem and the establishment of Israeli control over the Jerusalem Old City in 1967.
On all websites, hackers loaded a YouTube video along with the message of “The countdown of Israel destruction has begun since a long time ago” [see video here].
Image: ZDNet
The site also loaded a script that requested access to users’ webcams. According to Omri Segev Moyal, CEO of cyber-security firm Profero, two versions of this script were delivered, with a second containing code that tried to take a photo of the user and upload it to a remote server.
Image: ZDNet
The Israeli National Cyber-Directorate (INCD), the country’s cyber-security agency, warned users against interacting with any of the hacked websites.
אנו מעדכנים כי בשעות האחרונות התקבלו דיווחים במערך הסייבר הלאומי אודות אתרי אינטרנט בישראל שהושחתו עם מסרים אנטי-ישראליים. הנושא מטופל על ידי המערך. אנו ממליצים לגולשים להימנע מלחיצה על קישורים במידה שגולשים לאתר שהושחת.
— Cyber Israel (@Israel_Cyber) May 21, 2020
Most of the websites have been taken down, but a few are still available online, most likely still cached by CDN providers.
Israeli news media is reporting that the attack has been carried out by “Iranian hackers,” but multiple sources have told ZDNet there is no evidence of the Iranian government’s involvement.
Last month, the Israel government told water treatment companies to change passwords after hackers tried to access water supply and treatment systems. This attack, too, was blamed on Iran, using non-public sources, and against the general opinion of the Israeli cyber-security community.