The past three months has seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using SQL injection, a type of Web application probe.
Atlanta-based IT security services provider SecureWorks says from January through March, it blocked anywhere from 100 to 200 SQL Injection attacks per day. But as of April that number jumped from 1000 to 4000 to 8000 per day.
SQL Injection is a type of security exploit in which the attacker adds structured query language (SQL) code to a Web form input box to gain access to a form's resources or to make changes to data. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.
SecureWorks says the majority of the attacks are coming from outside the US.
Jon Ramsey, CTO, SecureWorks, says although other types of attacks have a higher volume, what makes the SQL Injection exploits concerning is that they often target a particular organisation, unlike a worm which spreads indiscriminately.
"What makes this vulnerability so pervasive is that SQL Injection attacks can prey on all types of Web applications - even those as simple as a monthly loan payment calculator or a 'signup for our customer newsletter' form," says Ramsey. "Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company's key customer databases containing social security numbers, account numbers, credit card numbers, e-mail addresses, etc."
SQL injection attacks include the CardSystems security breach last year, where hackers stole 263,000 customer credit card numbers and exposed 40 million more.
More recently Russian hackers broke into a Rhode Island government Web site and stole credit card information from individuals who had done business online with state agencies. The Russian hackers claimed to have stolen 53,000 credit card numbers during the attack in December.
SecureWorks says in order to protect against SQL Injection attack, firms should use "input validation" for any form to ensure that only the type of input that is expected is accepted.
Organisations should also move to protect the Web server on which the Web application is running, the database from which the Web application is retrieving information, and the operating systems upon which the servers, applications and database reside.