Regardless of lots of mainstream media attention, some administrators of government and big business websites remain oblivious to ongoing SQL injection attacks. As a result, even more sites have become pawns that serve up malware to unsuspecting visitors.
According to data recently released by security solution provider Finjan, in July the company "detected over 1,000 unique Website domains" that were compromised by SQL injection attacks. Web pages on each of the sites contained code that could cause malware to become installed on a visitor's computer.
Among the more recent victims are several government sites, including the city of Marysville in California, the Department of Culture and Tourism of Bahia in Brazil, the city and county of San Francisco, the National Health Service in the UK, and the South African Medical Association.
Many big businesses aren't minding their security either. Coca Cola, Snapple, BMW, the Baltimore Times, and the University of California were all found to also have been hacked via SQL injection attacks.
Finjan said that the malware served up by the sites tries to exploit several different vulnerabilities, and when successful such an attack leads to the installation of a Trojan on a user's system.
In response to Finjan's latest quarterly Web Trends Security Report, company CTO Yuval Ben-Itzhak said, "Over the course of the last 18 months we have been watching the profit-driven Cybercrime market maturing rapidly. It has evolved into a booming business, operating in a major shadow economy with an organizational structure that closely mimics the real business world. This makes businesses today even more vulnerable for cybercrime attacks, especially considering the maturity of the cybercrime market and its well-structured cybercrime organizations."
