Most Web Hacks Found to be Profit-oriented

Breach Security Labs, the research wing of Breach Security Inc., on February 7, 2008, declared the results of its yearly Web Hacking Incident Report. These results were based on the data accumulated during 2007 within the WHID (Web Hacking Incidents Database) project under the supervision of the WASC (Web Application Security Consortium).

The results show that 40% of Web attacks in 2007 were launched to dig personal data. 67% of attacks were profit-motivated. And more than 20% of all attacks were with Structured Query Language or SQL injections that were the most dominant technique applied. This kind of attacks impaired thousands of legitimate Websites, although some with .edu and .gov type of URL addresses were fast recovered.

The data from the WHID project indicates that 44% of attacks during 2007 were linked to non-commercial Websites such as education and government. This follows from researchers' speculation about the number of these incidents, which bear an influence of the lot of disclosures at such institutions due to legislation that mandate disclosure of data breaches to the public.

With regards to commercially-driven attacks, vulnerable or poorly designed Web applications bore the highest exploitation from exclusively Internet-based businesses like search engine, hosting providers, and social networking. With number of members on social networking Websites increasing at unlimited rates, this invites special worry. As membership expands, the effect of these assaults could grow exponentially.

After scanning the WHID data, Co-founder of WASC and CTO of WhiteHat Security, Jeremiah Grossman, said that security of Web application is essentially about visibility. Therefore, it is vital for researchers to figure out what hackers are capable of exploiting, what they already are exploiting, analyze how and why they exploit, and then find the trend on where they would exploit next, Grossman said. Darkreading reported this on February 7, 2008.

According to security experts, Web application layer forms the ground for all kinds of attacks, especially since firewall and other security software have made it difficult to penetrate the network of computers from outside.

Winding up the list were malicious spyware, bot-induced identity theft, Web 2.0 exploits, and phishing activity.

Related article: Most malware Use File Packing To Escape Detection

» SPAMfighter News - 2/18/2008