Hackers Prefer SQL Injections and Social Networks

SQL injections are ranked as the top vulnerability that hackers tend to go after, in a report by the Web Application Security Consortium (WASC). Hackers went, in the first half of 2009, after social and media websites, due to their large user pools and public exposure.

A large number of incidents was recorded for the report, with many different causes and exploited vulnerabilities. At the top of the list was the classic SQL injection technique that racked up 19% of all incidents, followed by insufficient authentication barriers (10%) and a large amount of incidents that was not resolved and categorized as unknown causes (10%). Other notable exploited vulnerabilities of 2009 were content spoofing and DOS caused by automated attacks.

Most of these incidents had a profitable operation behind the attack, hackers aiming for financial earnings from their exploits (phishing – 2%, link spam – 4%, monetary loss – 11%, data leaks and information stealing – 26%), but there were recorded incidents where the attack had ideological purposes, such as disinformation (19%) and website defacement (28%).

As seen from recent attacks on social networks, a large gathering of people on the Internet is as attractive as a concert of a suicide terrorist. Hackers have been running wild on many social networks for quite a while, but, this year, things went out of hand, when large-scale attacks were launched more than once on big providers like Twitter, Facebook, LiveJournal or YouTube.

19% of all attacks targeted social websites, where large user bases accounted for large hacker profits. Media websites were ranked second, with 16%, due to their large exposure, followed by e-commerce websites that presented another opportunity of big earnings for an experienced attacker.

This report is issued twice a year by WASC, the maintainer of the Web Hacking Incidents Database (WHID), a database that stores security incidents and attacks. WHID focuses on the incidents themselves, and not on the causes or attackers, offering a bigger picture than the CVE's or OSVDB's reports.

The report shows how much vulnerable websites tend to get with the increase of user pools and revenues. The days of “just for fun” hacking are long gone.