BusinessWeek suffers SQL injection attack

Business news magazine BusinessWeek has become the latest victim of the rising phenomenon of SQL injection attacks.

Security firm Sophos said that the company had hundreds of pages within its site infected with malicious code.

Graham Cluley, senior technology consultant at Sophos, said in a blog posting that the attackers had apparently run the attack through BusinessWeek's online job-hunting application.

SQL injection attacks are performed by entering specially-crafted code into a page's input field which can covertly redirect users to malicious sites. In this case, the code was redirecting users to an attack page hosted in Russia, according to Cluley.

"It is worrying when any site suffers from a malicious SQL injection attack but, when it's also one of the 1,000 busiest websites on the internet, the stakes are even higher," he said.

"The potentially large number of people visiting the site and accessing information to assist their careers may be putting their finances or personal data in jeopardy if they are not properly protected."

The magazine has said that it has removed the offending web application and that no user data was believed to be compromised.

SQL injection attacks have become increasingly popular in the past year. The tactic is often used to compromise online forums and can be scripted automatically to generate hundreds of thousands of infected pages.

Because many of the avenues used in SQL injection attacks are not necessarily known vulnerabilities, but rather the result of poorly configured servers, many hosts may not even be aware that they are vulnerable.

Copyright ©v3.co.uk

attack businessweek injection security sql suffers