Skip to main content

SQL Injection attacks on the rise

Research by SecureWorks, the managed IT security firm, suggests that the number of attacks on banking, credit union and utility firms using SQL Injection - a type of Web application attack - is rising fast.

According to Jon Ramsey, the firm's CTO, between January and March of this year, the company blocked somewhere between 100 and 200 attacks of this type every day for its clients.

"As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," he says.

"The majority of the attacks are coming from overseas," said Ramsey, adding that, although the company has seen a higher volume than with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack.

Ramsey went on to say that, depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers and email addresses.

A recent example of a SQL Injection attack occurred last December when Russian hackers broke into a Rhode Island government Web site and stole credit card information from people who had carried out business online with state agencies.

According to Ramsey, the Russian hackers claimed to have stolen 53,000 credit card numbers during this attack.

The solution to these types of attacks, he says, is for organisations to use 'input validation' for any form on their site to ensure that only the type of input that is expected is accepted.

Additionally, says Ramsey, organisations need to protect not only their applications, but the server on which they run, the database from which the Web application is retrieving information, and the operating systems upon which the Web servers, applications and database reside...