Wednesday 11 November 2009

SQL injection sees a big payout

Yesterday, prosecutors in Atlanta announced indictments against an alleged crime ring from Eastern Europe. The achievements of their hackers point to frightening means of financial data theft. According the reports, the hackers attacked payment processor RBS WorldPay, cloned prepaid ATM cards, and used them to withdraw cash totaling $9 million from 280 cities globally. These attacks took place in November 2008, and the timing is significant given that similar breaches of card data were occurring via SQL injection attacks.

In the Spring of 2008, fully automated SQL injection attacks were spreading rapidly – but the reports were focused on the visible outcomes and listed them as “i-frame attacks” rather than their root-cause of a database attack. At the time we warned that SQL injection attacks were both increasing and becoming more severe, moving to attacks whose purpose was to serve as much malicious code on as many web sites as possible. In the few months between that time and November 2008, the attacks moved beyond proof of concept and annoyance hacks to direct database manipulation and fraud. One year later, our call to action remains the same: all companies need to address the vulnerabilities the web environment poses to their databases. We recommend additional security precautions be added, so that SQL injection attacks are blocked, ensuring that the database cannot be used directly to mount a costly and embarrassing data breach.