Breach Security Inc.: SQL injections compromised 500,000 sites in 2008

In a new annual report “Web Hacking Incidents Database (WHID) 2008” Breach Security, Inc., the leader in web application integrity, security and PCI compliance, provided the data that show internet hackers were practicing a new type of SQL injection attack in 2008 that successfully compromised more than 500,000 web sites.

Among other things the report pointed to the fact that cyber criminals changed their attack methodology by shifting their focus from sensitive information within the web site’s database to a web site’s large customer base in 2008. This way, hackers turn a web site into a malware launching point when legitimate users visit the site. The report also revealed 29% of incidents were recorded without specifying the attack method which may be explained by lack of visibility of web traffic and resistance to public disclosure.

The report identified that 19% of attacks in 2008 were aimed at stealing personal information which could be further promoted on the corresponding sites where personal records are the easiest virtual commodity to exchange for money. In addition the report revealed that the violators exploited web sites for financial gain via planting malware (16%) and phishing (5%).

Still, the financial gain was not the only motivation for perpetrators. The report revealed that the number one attack goal in 2008 was web site defacement. The WHID report found that 32% of attacks were targeted at “Government, Security and Law Enforcement” sector. Used primarily to target political parties, candidates and government departments, ideologists often defaced a web site with a very specific message related to a campaign.