Cybercriminals are spreading invisible infections far and wide across the Internet by hammering hundreds of thousands of Web sites each day with so-called SQL injection attacks.
The trend started last summer and has continued to accelerate. IBM Internet Security Systems says it identified 50 percent more infected Web pages in the last three months of 2008 than it did in all of 2007.
Click on one and you won’t notice anything. Your PC gets turned into an obedient “”bot,” short for robot, deployed to attack other computers. All of your sensitive data get stolen.
SQL attacks take aim at the database layer of Web sites. They typically were manual attacks designed to pilfer customer data from merchant Web sites. But last June someone figured out how to automate the attacks, and use them to plant infections.
“”It was a brilliant tactical move. You sit back and wait for someone to visit the site, and soon you infect thousands of PCs,” says Ryan Barnett, Breach Security’s director of research.
An infected PC thereafter gets put to work delivering spam and spreading more infections. And any sensitive data, such as log-ons and account numbers, get stolen.
For the first five months of 2008 IBM ISS helped large corporations block about 5,000 SQL attacks a day. By mid-June, daily attacks spiked to 25,000; by October they topped 450,000 a day. Holly Stewart, IBM ISS threat response manager, says the infections take advantage of security flaws in cool website features, such as online-delivered video, music, photos, documents and work files.
“”Web applications are one of the most outward facing components a corporation could have, and one of the least protected,” she says. “”And SQL injection is the fastest-growing category of attacks affecting Web applications.”
Giant financial institutions and online merchants have put up strong defenses, says Phil Neray, vice president of security strategy at Guardium, a database security firm. “”The same is not necessarily true of regional banks and credit unions, smaller online retailers and state government agencies.”
Security experts say consumers must keep updates for anything to do with their browser current, though most now do not do this. This includes updates for Internet Explorer, Firefox, Safari, Opera, Chrome, Adobe Flash, Adobe Reader, iTunes, QuickTime, Windows Media Player and RealPlayer. Such updates increasingly include important security patches that can block infections from taking hold.