14 DAY TRIAL // BusinessWeek has just joined a group of highly rated and visited websites that fell victims to SQL injection attacks. Graham Cluley, Senior Technology Consultant for the security company Sophos, disclosed that parts of the website of the popular weekly magazine were attempting to serve malware from a Russian server.
SQL Injection has been at the top of vulnerability trends in recent years along with XSS (cross-site scripting). The SQL Injection name comes from the end-result of the exploitation of such a vulnerability, which is to inject malicious code into the web application's SQL database. This code is generally used to spread malware from third-party servers.
The new BusinessWeek incident adds to the other 16,000 pages affected by SQL Injection discovered daily (according to a Sophos report). Mr. Cluley points out that hundreds of individual BusinessWeek pages from a section of the website were affected. What's even worse is that the particular section was addressed to MBA students looking for career opportunities.
The injected malicious code was trying to serve malware from a .ru website, but the server in question was offline at the time when the attack was discovered. According to Cluley, this wasn't necessarily permanent and the status of the website could have changed, which would have posed a serious security risk to the personal or financial information of the users. A BusinessWeek spokesman commented for The Register that, following their investigation, it was determined that no sensitive information had been compromised and that the particular web application affected had been removed from their website.
Even so, Mr. Cluely pointed out that BusinessWeek had been notified about that last week and two days ago the malicious code was still online. All companies should work to fix these problems as soon as possible as time is essential with these attacks, the longer the code remains online, the higher the chances of more people getting infected are.
In a short video, Cluely outlines the basic steps companies should take in order to prevent such incidents. They include adopting development best practices, ensuring web applications run with lowest possible database privileges, constantly checking server logs for suspicious activity as well as using programs designed to tighten the security of web applications.
Graham Cluley's video explaining the BusinessWeek incident