Forgot your password?
typodupeerror
Databases Security The Internet

New SQL Injection Attack Fuses Malware, Phishing 202

Posted by kdawson
from the trust-me-just-click-on-it-ok dept.
PainMeds tips a recent post in Secure Computing's research blog describing a new SQL injection attack that had infected thousands of MSSQL-based web servers by last weekend, turning them into malware delivery systems. The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site. Sites using Sybase might possibly be vulnerable, as it uses the same exploited syntax that MSSQL does. The post includes an example of the attack. Unlike most malware attacks, this one appears to originate from the site the user is actually visiting. From the blog: "'Similar to phishing, this attack takes advantage of the website visitor's trust in the site they are visiting. Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site... These web pages are associated with Web sites from around the world and supplying various content — including government sites, sales sites, real estate sites, and financial information sites among others."
This discussion has been archived. No new comments can be posted.

New SQL Injection Attack Fuses Malware, Phishing

Comments Filter:

I am a computer. I am dumber than any human and smarter than any administrator.

Working...