|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Outcome":
Blackmail, Chaos, Deceit, Defacement, Disclosure Only, Downtime, Extortion, Identity Theft, Information Warfare, Leakage of Information, Link Spam, Loss of Sales, Monetary Loss, Phishing, Planting of Malware, Political Defacement, Spam, Worm
List of incidents for which Outcome is Planting of Malware
14 incidents listed
Reported: 17 February 2008Occurred: 09 November 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Media
The web site of a leading Indian newspaper is swamped with malware. A recent survey by WebSense cites by the Register found that of the sites hosing malware, 51% where legitimate sites that have been broken into. This is a major shift in the threat landscape, since keeping to web sites that you know is no longer a good protection strategy. Anecdotally undermining WebSense own web site classification technology as a security solution.
References:
Reported: 28 January 2008Occurred: 06 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Planting of Malware
- Outcome: Defacement
- Vertical: Government
You dfon
References:
Reported: 08 January 2008Occurred: 28 December 2007
Classifications:
- Attack Method: SQL Injection
- Origin: China
- Outcome: Planting of Malware
An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code. As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users. A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.
References:
- 70,000 Web Pages Hacked By Database Attack
News Story, Information Week, 08 January 2008
- Realplayer Vulnerability
Alert, SANS Internet Storm Center, 04 January 2008
- Massive embedded exploit web site attack underway
Alert, Heise, 08 January 2008
- SQL Injection Attack Infects Thousands of Websites
Technical Analysis, Ryan Barnett, 08 January 2008
- Mass exploits with SQL Injection
Technical Analysis, SANS, 09 January 2008
Reported: 01 January 2008Occurred: 09 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Brazil
- Country: USA
- Origin: Russia
- Outcome: Planting of Malware
- Vertical: Government
RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.
References:
Reported: 01 January 2008Occurred: 06 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Turkey
- Outcome: Planting of Malware
- Vertical: Media
Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.
References:
Reported: 01 January 2008Occurred: 23 September 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.
References:
Reported: 01 January 2008Occurred: 23 May 2007
Classifications:
- Attack Method: Known Vulnerability
- Country: USA
- Outcome: Planting of Malware
- Software: cPanel
- Vertical: Service Providers
The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.
Actually the problem is so dominant that a recent StopBadware report lists Ipower as by far the most Malware infected hosting company. Reports mention that the problem started as early as mid 2006.
The root cause of the breach here is mentioned as being a vulnerability in either Apache, PHP or cPanel. I have selected the third as being more probably until further evidence materialize.
References:
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 19 December 2007Occurred: 14 December 2007
Classifications:
- Attack Method: Unknown
- Country: France
- Country: Libya
- Outcome: Planting of Malware
- Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the attack method is known.
References:
Reported: 21 November 2007Occurred: 20 November 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Planting of Malware
- Vertical: Internet
A Crimeware iframe tag on a site is not news anymore. On Monster.com it is.
References:
Reported: 07 November 2007Occurred: 03 October 2007
Classifications:
- Attack Method: unknown
- Country: China
- Outcome: Planting Of Malware
- Vertical: Media
Defacement are a dime a dozen this days, and are not normally reported by WHID. Even invisible defacements in which sites are changed in order to infect their clients with malicious code are becoming too common. But this time it is the site of a security organization, and not just any one, but China's internet security organization. So in the light of the hot debate about china as the source of all hacking, we think that this story has a value.
References:
Reported: 03 September 2007Occurred: 02 September 2007
Classifications:
- Attack Method: Unknown
- Country: India
- Outcome: Planting of Malware
- Vertical: Finance
This very serious hacking incident provides insight into a lot
of the failures information security in general and web application
security particularly beyond the simple fact that the web site of the
largest state owned bank in India was invisibly defaced with Trojan
inflicting code.
Firstly, the entire discussion in the references is about the
Trojan payload, with no word about the vulnerability that led to the
defacement. Actually a reviewer on the SiteAdvisor report gives the
green mark to the web site after the Trojan is removed, without
requiring any information about the actual problem.
Secondly, most trust systems, including SiteAdvisor,
completely fail to detect the breach. Which makes me think about those
trust models: they check that the site was not breached, while they
should check that the site is not vulnerable. I guess the reason is
that their primary goal is to detect intentionally malicious sites and
not breaches is normative sites, but others use them to assess the
level of security of the later.
References:
Reported: 30 March 2007Occurred: 02 February 2007
Classifications:
- Attack Method: Unknown
- Country: USA
- Outcome: Planting of Malware
- Vertical: Sports
Hackers penetrated the Dolphins stadium web site just days before the Super Bowl was held there and modified the home page to include a Trojan inflecting script.
References:
Reported: 29 March 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Other
- Outcome: Planting of Malware
- Software: WordPress
Backdoor was planted in a new official release of WordPress, the most popular blogging software in the world. It was available for download for a few days before the backdoor was located.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
