Despite its time-honored status from a technical standpoint, SQL injection remains a massively popular format for online malware campaigns, with a tidal wave of the threats currently emanating out of China.
As proven in the recent indictment of American Roberto Gonzalez, charged with helping to carry out some of the largest card data heists discovered on U.S. soil over the last several years, including the notorious TJX Companies and Heartland Data Systems infiltrations, SQL injection remains a powerfully effective means of attack.
Researchers are pointing to the latest surge of SQL injection attacks coming out of China as particularly noteworthy in the sense that they are so heavily concentrated in the region, versus more typical campaigns that seek to utilize botnet infrastructure worldwide to de-centralize their distribution.
In a blog post, Amichai Shulman, CTO of firewall specialists Imperva, said that his company has observed that over the last month in particular, SQL injection campaigns being generated in China have shifted from worldwide distribution to heavy concentration in the world’s most populous country.
“We’ve seen the attacks coming from 60 different servers which are all located in China. This is quite unusual as most previous campaigns had attack vectors coming from bots all over the globe,” Shulman said. “Interestingly enough, four weeks into this attack campaign the malware distribution servers are still up and running.”
Thus far Shulman said his team has observed over 1.25 million downloads cascading across the involved distribution sites that they are already monitoring.
“We are seeing a constant flow of attacks aimed at drive-by-download. Just in the past two months we have seen three different strands of such attack campaigns,” he said.
And when scanning the Google SafeBrowsing diagnostic directory information for reports about some of the domains being used in the SQL injection attacks, he said that there appear to be no current warnings about the malicious activity.
While the expert has no explanation for the heavy use of SQL injection in China, one of his theories regarding the upswing in the threats in general is that creation of some new scanning tools is allowing cyber-criminals to more easily identify legitimate sites that may be vulnerable to infection using the tactic.
Once again we’re seeing that when it comes to online malware and data theft, attackers seem to have little motivation to create altogether new breeds of assaults, as well-known practices such as SQL injection remain so effective, and in regions such as China there is little enforcement to stop new waves of the threats.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
