News

Security: SQL Injection and rogue movies and PDFs target website visitors

Cliff Saran

Businesses are putting their customers at risk due to lax security according to IBM's annual 2008 X-Force Trend and Risk report.

X-Force found that corporations were unwittingly putting their own customers at risk for cyber-criminal activity. With the increase in attacks using legitimate business sites as launching pads for attacks against consumers, cyber-criminals are literally turning businesses against their own customers in the ongoing effort to steal consumers' personal data, X-Force said.

Kris Lamb, senior operations manager at X-Force Research and Development for IBM Internet Security Systems, said hackers were using large-scale, automated SQL injection attacks, a trend that began in 2008 and has continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer, he noted.

"This is one of the oldest forms of mass attack still in existence today. It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed. Cyber-criminals target businesses because they provide an easy target to launch attacks against anyone that visits the web."

X-Force noticed that attacks using ActiveX and downloadable content such as movies and Acrobat files, have also increased. According to X-Force, hackers are now using malicious movies (for example, Flash) and documents (for example, PDFs). In the fourth quarter of 2008 X-Force traced a 50% increase in the number of malicious URLs hosting exploits than were found in the whole of 2007.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy