Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced — attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.

Figure 1. Image shown from within the PMO website that falsely claims the site was hacked

The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.

We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.

This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.

This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.

We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means: