Table 5 in the Appendix contains a list of the top 10 overlaps of a defacer related domain to a phishing domain hosted within one year of each other.
It is very important to note that in order for the defacer to get credit for their defacement, the defacer needs the defacement database to obtain a live screenshot of their defacement.
The first scenario is that the phisher is the defacer.
The second scenario is that the phisher and defacer are part of the same organized group or crime unit.
In this research we present a set of methods that demonstrate a relationship between phishers and defacers.
Defacers are a set of cybercriminals who gain unauthorized access to webservers and related systems by attacking design, implementation, logic and configuration vulnerabilities in order to post illegitimate web content on that server.
The defacers use these databases to get credit for, or maintain a history of, their defacements.
The research presented in this paper was assembled to demonstrate the relationship between phishers and defacers, using the domains and timestamps in which phishing and defacement websites were reported.
The goal in this experiment was not only to use more data to show a larger impact by these defacers but also to demonstrate that some phishers target multiple organizations, giving law enforcement more motivation to open an investigation on the phisher.
The final scenario is that some defacers sell credentials on underground markets.