Automated hacking
Sep 24 2008
Automated hacking
Email a friend
What do the Sony Playstation game ‘SingStar Pop’ and the Association of Tennis Professionals (ATP) have in common?
In the last few months the websites of both were hit by a sneaky form of automated hacking that hijacked their pages and downloaded malicious code onto the PCs of innocent third party visitors.
Both companies had their failings aired in public by IT security firm Sophos, which reports such incidents to the media if sites continually fail to protect their visitors.
While the publicity for both companies was no doubt unwelcome, the damage was relatively mild. The code just flashed a false warning telling visitors their computers were at risk and encouraged them to buy some security software, thereby harvesting the credit card details of the gullible.
Once a site is hijacked it’s easy for a hacker to snare people with something more sinister like a key logger, which collects passwords and can result in full-scale identity theft. For a start-up making its first forays into online commerce, the damage to reputation if customers start having their details hijacked could be fatal.
Sony and ATP quickly fixed the problem in the wake of negative publicity. But many companies fail to do so: ‘It is not uncommon to receive no response from the owners of an infected website, and still find it’s infected days later,’ says Sophos’s director Mark Harris. ‘’During that time, hundreds if not thousands of innocent internet users could have been unwittingly hit by the malware infection.’
Something nasty
The culprit was a simple ‘SQL injection attack’, whereby a hacker attacks a database after a webpage has been accessed. Many internet sites collect information from users through ‘name’ and ‘email’ fields, which is stored in a database. In an SQL injection the hacker sends not personal details but lines of complex programming code through these fields.
A vulnerable database will happily perform functions such as emailing user lists and ‘forgotten’ passwords to cybercriminals, while more malevolent scripts can ‘drag in even more malicious code’, explains senior Sophos technical consultant Graham Cluley, and even upload it to users with vulnerable browsers.
‘Some people regularly go through their databases removing the scripts, but they don’t change the underlying problem and get re-infected almost immediately,’ Cluley says.
Expensive security software and consultants are a fall-back, but good programming is enough to prevent most problems.’ If fields ask for a name, limit them to a maximum of 25 characters and don’t allow brackets,’ Cluley suggests.
While SQL injection attacks have been around for a while, they recently resurfaced in the shape of the ‘Asprox botnet’. This involved a network of computers run by a hacker which automatically searched and attacked websites.
The high level of automation offered by such botnets means any vulnerable site – government, private or business – will eventually be found and compromised. In the first two weeks of July, Asprox compromised more than a thousand sites, including those belonging to the Queensland government in Australia, soft drink maker Snapple, BMW Mexico and the City of San Francisco.
‘These are genuine companies doing ordinary business,’ says Cluley.’It makes it hard to give common sense advice because any site can be infected. In the old days we could just tell people to avoid risky sites like gambling and porn sites, but now you can’t say things like “sites about bird watching are less likely to be infected”.’
There are currently no comments on this article
Comments