Recent SQL Injection Attacks
For the past few months internet security organizations have been busily tracking a huge increase in attempted SQL injection attacks. Although SQL injection exploits have been well known and documented for years the increase in attacks is directly related to advances in technology that have completely automated the process of identifying and exploiting vulnerable websites. This level of automation coupled with fact that an estimated 1 in 10 sites is vulnerable has led to serious ramifications for websites of all sizes. From Walmart & Cardservices Internationl to small mom and pop websites, it is estimated that over 1.5 million sites have fallen victim to these attacks.
In the past the goal of most website hacks was to either deface the website or gain access to sensitive information. Recently attackers have instead been seeking to “infect” compromised websites with malicious scripts that compromise the computer’s of people who visit the website. Imagine trying to explain to your best customer how visiting your website led to their computer being infected with software that gives hackers access to their files, passwords, and personal information.
At Big Step Consulting we recently saw these attacks affect two of our clients in very different ways.
Client A was a customer we had done some consulting and database work for in the past. Their website had been developed prior to them engaging us - we did not develop it, and it was not hosted on our servers. One morning they woke up and noticed some weird things happening to their computers when they tried to visit their website. After a little investigation they became very concerned. Portions of their website weren’t displaying correctly, they couldn’t login to their admin tool – something was very wrong. After doing a little bit of research and having us review their database it was clear they had fallen victim to a SQL Injection hack. We immediately took their site down to try to contain the damage and minimize their visitor’s exposure to this hack. Unfortunately because of how their site was designed there were literally hundreds of potential holes just waiting to be exploited. We began the long process of restoring their database and conducting a thorough, line by line security audit so we could bring their site back online in a safe manner.
This story stands in very stark contrast to another one of our clients. Client B is someone whose website we designed, hosted and actively managed. Around the same time client A’s website was being taken offline, we received an automated notification of some unusual activity on one of our web servers. Upon investigation it was apparent that someone was attempting to launch a SQL Injection attack against client B’s website. We immediately notified client B and monitored the situation in real time as the hacker continued to try to find a hole to exploit. Eventually after having no success they moved on to an easier target. Once it was clear the hack attempt was over we did a quick inventory of the database and file structure and were able to confirm that the hack was indeed unsuccessful.
At Big Step Consulting we pride ourselves on building secure applications that adhere to industry best practices. The saddest and most frustrating thing about these recent attacks is that protecting against SQL Injection is relatively easy for a seasoned developer. The fact that 1 in 10 websites continue to be vulnerable makes us seriously question the professionalism of many web developers out there.
If your website has fallen victim to one of these recent attacks and you need assistance we would love to help. If you are concerned about security and unsure how your site stacks up we are currently offering free, no obligation security audits to help put your mind at ease.
Contact us today and let us know how we can help.