Wall Street Journal, others, hit in mass SQL attack

Share this article:
Security researchers have discovered a widescale SQL injection attack that has compromised thousands of websites to spread malware, including pages belonging to the Wall Street Journal and the Jerusalem Post.

The sites were injected with HTML code that attempted to load malware from a malicious web server – robint.us – onto visitors' PCs, researchers said. All of the affected sites are hosted on Microsoft Internet Information Services (IIS) web servers, and are using Active Server Pages software from ASP.net, David Dede, lead security researcher at malware detection solutions provider Sucuri Security, told SCMagazineUS.com on Thursday. The attacks, however, are the result of vulnerabilities in third-party web applications and do not demonstrate holes in Microsoft software, Microsoft has said.

“Looking at the logs, the attackers were scanning for multiple vulnerabilities, trying different SQL injections,” Dede said.

In the case of the Wall Street Journal, the infection was the result of a compromised third party, adicio.com, which provides real estate listings that displayed on certain pages of the WSJ.com website, Mary Landesman, a senior security researcher at Cisco, wrote in a blog post Wednesday.

The attack, discovered earlier this week, also affected the websites Servicewomen.org and Intljobs.org. On Tuesday, around 10,000 websites were infected, Dede said. Many sites had more than one page affected, causing the total number of infected pages to reach more than 100,000 earlier this week.

Most of the impacted sites, including the Wall Street Journal, Jerusalem Post and Servicewomen.org, have already removed the malware. Approximately 7,000 web pages currently remain infected, researchers said. The malicious web server was taken offline approximately 24 hours after the attack began, so sites that currently remain infected are no longer distributing malware.

Landesman said attacks like this are nothing new.

“Many of these same compromised pages have been repeatedly compromised in one SQL injection attack after another since 2007,” she wrote in a separate blog post Tuesday. “Attacks like robint.us are just one of over a thousand unique attacks carried out via the web each month.”

SQL injection attacks are popular because a lot of applications are still vulnerable, and the technique is easy for cybercriminals to pull off, Dede said.

Additionally, he said, the sites that were affected in this compromise may still be vulnerable to getting attacked again.

“They got hacked through SQL injection,” Dede said. “So, if they didn't fix [the SQL vulnerability], they can get hacked all over again.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.