Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

AntiSec Remains Active – Defaces Hundreds of Canadian Websites

On Wednesday, the AntiSec movement defaced hundreds of websites in what was said to be proof that the movement works just fine without Sabu, their alleged leader who was arrested and flipped by the FBI last year.

On Wednesday, the AntiSec movement defaced hundreds of websites in what was said to be proof that the movement works just fine without Sabu, their alleged leader who was arrested and flipped by the FBI last year.

The sites that were defaced have something in common, they were security related and were all hosted by Shaw Cable directly, or by its subsidiary Mountain Cablevision, both of which are in Canada.

AntiSec Defaces Security Sites In Canada“Our Vessel sailed through their servers collecting all information they owned. These companies earn money exploiting the fear of the people and their feeling of daily life state sponsored insecurity,” an AntiSec statement explained.

“We are doing this not only to cause embarrassment and disruption to the security community but to show we are still alive and well… Law enforcement collaborators, and military contractors, private security companies beware: we’re coming for your mail spools, barely legal porn, your sister’s pix and confidential documents.”

The attack targeted three different servers. One was a dedicated hosting account, while the other two leveraged shared hosting. The security related websites such as,,, and, were announced by AntiSec, but hundreds of others were caught in the crossfire.

At the time this story was written, a majority of the attacked domains were offline completely or reporting database connection errors. A full list of the domains present on the servers attacked can be seen here.

When it comes to the shared hosting environments, the likely avenue of attack exploited in this case was Remote File Inclusion (RFI). This would have allowed AntiSec supporters full access to the targeted website after uploading a malicious shell script. Depending on the permissions of the server itself, access to every other domain hosted on it could be gained form that point.

Another possible access point, based on viewing versions of the targeted websites before they were attacked, is SQL Injection (SQLi). In the past, this method of attack has allowed AntiSec supporters to wreak havoc on a domain, and walk off with confidential and sensitive information. SQLi will also allow mass attacks within a shared environment due to the fact that the databases are often stored locally.

SecurityWeek reached out and asked about the methods used during the attacks, given that the defacement message mentioned backdoors into the servers, but were turned away. The only comment for the record was “Also Cocks.” (For the unfamiliar, this term can be used several ways. One is lulz, or amusement. The other is a quick way to tell someone to go away. AntiSec doesn’t always like to give away their methods, and when they do it’s often within the defacement message itself.)

Earlier this month, after the FBI announced the arrest of Sabu and the fact that they had turned him in order to collect evidence against other LulzSec members and Anonymous supporters, one Special Agent close to the case mentioned that the arrest had cut the head off of the movement.

That same day, AntiSec targeted Panda Security, defacing a webserver that hosting several sub-domains used by the company. According to AntiSec’s claims, Panda has helped put 25 people behind bars for their involvement in various operations championed by Anonymous, in addition to lurking on their public IRC space in an attempt to identify various chat participants.

Panda’s Technical Director, Luis Corrons, commented, “Even though we have not helped LE to bring to jail any LulzSec member, I would have loved to be involved in that.” Panda recovered the webserver within hours, and no critical information was lost. The point that AntiSec is making should be clear, just because people have been arrested, the threat that supporters of the movement pose has not gone away. Those who celebrated and figured that the threat had passed are in for a rude awakening should they let their guard down.

As always, organizations should check their critical web applications and protect the assets that are most valuable, which is often the information collected for day to day operations. Proper coding practices and security auditing, system and software patches for the webservers, leveraging the rule of least privilege and disabling services that are non-essential are just some of the steps that will prevent basic attacks from working.

Just remember, if an attacker is targeting your organization directly, there’s little you can do to stop them as they’re likely to get in eventually, which is why incident response is just as important as risk management.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.