SQL Injection Responsible for Hacking Over 500,000 Sites in 2008

According to the annual Web Hacking Incidents Database report of the security firm, Breach Security, SQL injection attacks were launched on a massive scale in 2008.

Reportedly, over 50,000 web sites were hacked in the previous year. SQL injection attacks had been the foremost weapon of attack in the past year. The report further states that three SQL bots were used in all these attacks, which are - Asprox, Nihaorr1, and Evolution. However SQL injection was the initial attack vector, the overall attacks gave more resemblance to Cross-Site Scripting, accomplishing the ultimate target of injecting malicious JavaScript code into the victim's browser.

Interestingly, the assaults were not targeted at the server's information, but at the websites' user base itself. These attacks took advantage of the legitimate resources to exploit users' trust on those sites.

Ryan Barnett, Director of Application Security Research, Breach Security, noted that hackers are increasingly using new and sophisticated methods to earn personal as well as financial gains, as reported by BusinessWire on February 24, 2009.

The report also talks of a factor dubbed "the unknown", in context of those 29% incidents in which attack method is yet to be recognized. This may be due to mainly due to the lack of the web traffic's visibility and resistance to public exposure.

Majority of the firms feel hesitant to disclose the details of compromise publically may be due to the fear of loosing customer confidence and thereby, their competitive edge.

The researchers at Breach Security believe that hiding the details of such incidents from the public hinders the process of fixing the problem's root cause. This may particularly be observed in the incidents of malware-planting, wherein the prime concern of the remediation process lies in removing the malware rather than fixing the vulnerabilities of the site that facilitated hackers to gain access.

Moreover, nearly all sectors have suffered the SQL injection attacks. Government, security and law enforcement ranked first by witnessing 32% attacks, followed by information services, retail, Internet, and education spanning the top five positions.

Related article: SoCal Computer Hack Traces to Watsonville

» SPAMfighter News - 3/2/2009