The SQL injection attack this week on the Sony PlayStation website is a high-profile example of what continues to be a rampant number of legitimate websites falling victims to insecure coding, researchers said on Wednesday.
The result was that visitors to the compromised pages on Tuesday were assaulted with pop-up advertisements hawking anti-virus software that does not work, he said.
“Obviously some people can be fooled into [buying] these sorts of things,” Cluley said.
The site now appears to be clean of the malcode. A Sony spokesperson could not be reached for comment.
“There's underlying infrastructure here that Sony and many other websites need to fix,” Cluley said. “We've seen thousands upon thousands of examples of this. If you're running an SQL database on your website, have you secured it?”
Researchers said the PlayStation example is a tiny piece a growing trend of legitimate websites being compromised to serve as silent directors to exploits. The threat began an earnest last year after hackers began developing tools to automate the attacks.
“When the user visits the compromised site, these IFRAMEs and malicious references work in the background to pull the malicious content from the [hacker] sites,” Mary Landesman, senior security researcher at web security firm ScanSafe, told SCMagazineUS.com.
She said that in recent weeks, the Asprox botnet has returned in force to help launch SQL attacks. It is based out of China and is used to comb the web for sites containing vulnerable code.
If users visit one of the compromised sites and are not running fully patched RealPlayer or Flash programs, their machines could become infected with password stealing trojans, Landesman said. Also, their machines would be added to the growing Asprox botnet.
“I can assure you that in terms of these SQL injection attacks, this is not a problem that is being exaggerated," she said. "There are literally millions of sites and pages involved in this."
Microsoft and Hewlett-Packard recently joined forces to offer security teams some free tools to discover vulnerabilities in code.
“You need to do filter handling on your forms and when you're making database queries so that invalid code – maybe pointing to someone else's website – isn't allowed through,” Cluley said.
News of continued mass SQL attacks comes as a new report -- from Google, IBM Internet Security Systems and Switzerland-based Communication Systems Group -- showed that 45 percent, or 637 million users, surfed the web from January 2007 to June 2008 with an out-of-date browser.
Though the burden to protect against SQL injection attacks falls on the website, consumers are often impacted from resulting malware if their machine contains some vulnerability, often located in their browsers or browser plug-ins.
See original article on scmagazineus.com
Sony PlayStation website hit by SQL attack
By Dan Kaplan on Jul 3, 2008 10:05AM