SQL Attacks Infect DHS Websites

Web program security provider, Acunetix, has revealed that sophisticated Structured Query Language (SQL) injection attacks were recently targeted at the US Department of Homeland Security Websites, as reported by Acunetix on May 6, 2008.

According to researchers at Acunetix, hackers have struck several thousands of Web pages of renowned Websites with the malicious script. This converted the compromised Websites into attack bases from where the attacks installed malware onto computers that visited those sites.

Sales and Operation Manager, Sarah Tabone, Acunetix said that the company's research, carried out on 3,200 Websites, revealed that a huge 70% of Websites contained security loopholes that could allow hackers to steal confidential corporate data, including customer lists and credit card details, as reported by ComputingNews on May 7, 2008.

Tabone further said that attacks similar to the one on the Department of Homeland Security could make any Website to function like a launch area for attacks directed at unwitting visitors.

One reason, why the latest attack stands out prominent, is that it has been able to infect a massive number of Web pages using just one text code. Google searches have shown that almost 560,000 pages contain this infecting text, although the actual number keeps on changing. In the attack, the infected sites redirect traffic to some different destinations where attempts are made to download malware onto vulnerable computers.

Further, according to the security investigators, the infection has spread so widely because the attackers managed to craft a single attack code that works effectively on thousands of Websites. The code is also striking because it successfully bypasses the various defenses for Web applications. The SQL request primarily contains HEX code, makes its appearance unclear to applications, particularly those that employ Microsoft SQL. Such is, however, not possible with PostgreSQL and MySQL.

Moreover, a DHS spokesperson said that Websites in recent times are getting fooled because they miss sanitizing user fed data. DHS security professionals cleaned the page off the malicious code shortly after the infection occurred, and also adopted measures to ensure that the attack didn't hit the remaining sections of the DHS Websites.

Related article: SoCal Computer Hack Traces to Watsonville

» SPAMfighter News - 5/15/2008