Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, a security researcher said on Monday in the US.
Sophos' Graham Cluley
(Credit: Sophos)
It's unclear how long the site has been compromised and there is no evidence that BusinessWeek.com readers have been affected, but also no evidence that they haven't, said Graham Cluley, senior technology consultant at Sophos.
The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek web site, he said. The executable code in the database links to a web site with a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.
The Russian Web site was offline right now, but could be put back online at any time, according to Cluley.
The malware was found to be on a section of the BusinessWeek site that offered information about the top companies that recruit from particular MBA programs, he said. The attack would not only put visitors to that section at risk, but also their employer if the computer they were using had corporate data on it, he said.
Sophos contacted BusinessWeek about the security problem last week, but the malicious code was still in the site's database, Cluley said.
A BusinessWeek.com representative said she would call back with comment.
SQL injection attacks are on the rise primarily because they work; they target Web sites that computer users trust and the attack is stealth so victims usually don't know their computer has been compromised.
Google's Blogger was cited by Sophos this summer as the top malware host site. Sony's PlayStation site was targeted recently and 70,000 sites were found to have been compromised by a massive SQL attack earlier this year.
"SQL injection attacks have been the story of 2008," Cluley said. "This is one of the major security problems affecting the Internet today. We discover a new infected web page every five seconds. That's three times worse than the rate last year."
Typically, organised crime gangs are behind the attacks, attempting to snag bank data to use for identity fraud, he said. They sell credit card and bank account numbers and passwords on underground forums and auction sites. Buyers use the data for online transactions or to create fake credit cards.
Cluley has more details and a video explaining the attack on his blog.
Every day it seems like another well know web site is hacked and found to be hosting malicious content or redirecting unsuspecting users to sites hosting malicious content.
The onus for protection falls on both parties, users need to be sure they are protected against untrusted sites and malware, but the web site owners need to be taking steps to check that the coding, servers and applications that make up their web sites are not vulnerable to attack.
The security industry is moving at lightning pace to provide the tools neccessary for both user and site owner, but both groups need to take ownership to beat these threats and make the Web safe.