Hackers still driven by urge to vandalize Web sites

February 26, 2009 (IDG News Service) A study of 57 Web-site hacks carried out last year showed that the largest block of them — 14, or 24% — were aimed at defacing sites rather than seeking financial gain or causing monetary losses to the organization being attacked.

The findings in the annual report gleaned from the Web Hacking Incidents Database, which is maintained by the Web Application Security Consortium (WASC), suggest that stealing money or data still may not be the biggest motivating factor for hackers, although attacks involving data thefts certainly have been on the rise in recent years.

"While financial gain is certainly a big driver for Web hacking, ideological hacking cannot be ignored," said the report, which was sponsored by Breach Security Inc., a Carlsbad, Calif.-based security software vendor, and prepared with support from the WASC.

Although hundreds of thousands of Web-site attacks took place in 2008, strict criteria were set for the incidents analyzed as part of the study: The researchers looked only at attacks that were publicly disclosed, involved problems with Web application security and had an identifiable impact on the organization whose site was hit. Those requirements enabled the researchers to examine the potential business impact of attacks as well as the technical failures that allowed them to happen, according to the report.

Most of the Web-site defacements among the studied attacks "were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign," the report said. "Others [had] a cultural aspect, mainly Islamic hackers defacing Western Web sites."

The second most popular motivation for attackers, according to the report, was stealing sensitive information, which occurred in 11 of the 57 hacks (19%). That was followed by planting malware, which was cited in nine incidents (16%), and causing monetary loss, which was deemed to be the motivation in seven attacks (13%).

The most common style of hack was SQL injection attacks, which involve inputting commands into Web-based forms or URLs in order to steal information from databases or plant malware in an attempt to infect the computers of users visiting a Web site. Seventeen of the 57 attacks, or 30%, involved the use of SQL injection methods, the report said.

Last spring, a wave of attacks was carried out by hackers who used automated tools to seek out Web sites that were vulnerable to SQL injection attacks. At the time, security vendors estimated that as many as 500,000 Web sites fell victim to the attacks.

Such incidents indicate that SQL injection hacks have displaced cross-site scripting attacks as the most widely used method of breaching sites. Cross-site scripting flaws are easier to find than SQL injection errors are, but it is "somewhat harder to take advantage of them for profit-driven attacks," the report said