Dexia, HSBC and ING Bank Websites Hacked
Websites of certain big European banks like Dexia, HSBC and ING have been invaded via SQL injections whereby malware is injected to data strings. After being transmitted to an SQL Server, the data strings are used for parsing as well as execution. The attacks via a proof-of-concept code show the trusted banking institutions' poor state of security practices that could harm consumers.
The credit of security problems' discovery goes to 'Unu,' a Romanian hacker who belongs to the association of greyhat hackers, as reported by SoftPedia on September 5, 2009.
The Giftshop website of ING Belgium was the first reported to have flaws. The process of a PHP code absorbing unclean parameters led to the execution of illegitimate SQL queries on databases via the URL's manipulation.
The hacker said - passwords pertaining to all the Giftshop website accounts including those for administrators are saved as simple text. Meanwhile, registered users' personal information like e-mail addresses and full names become accessible.
Another bank named Dexia, which is situated in Belgium, apparently runs an unprotected Internet site. A similar inability towards inadequate sanitization of parameters transmitted onto a PHP code exposes a large volume of databases to unauthorized parties.
By exploiting the security flaw, personal information of registered users such as passwords could be extracted through simple text. Moreover, the server permits the installation of load_file for executing arbitrary code on a writable directory. Consequently, it allows an attacker to acquire command-and-control over the server.
Another hack on the website of HSBC France is perhaps the most recent and the severest invasion. In this attack of the country's leading bank, again a plain SQL Injection flaw was responsible for a complete compromise of the server, whereby the hacker managed in acquiring access to the whole lot of databases as well as the overall file system.
Commenting on these hacks, the Internet security specialists said that an online security violation at any financial institution resulted in massive repercussions. Thus, recent data breach incidences at WorldPay or Heartland, led to the loss of enormous sums of dollars in Internet fraud.
Related article: Dixie College Suffers Data Hack
» SPAMfighter News - 24-09-2009