Contributors
Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security) [Project Leader]

The Web Hacking Incidents Database
Last update:17 February 2008

View Incident By ID

WHID 2004-17: The CardSystems breach was an SQL Injection hack
Reported: 20 April 2006
Occurred: 01 September 2004

Classifications:

  • Attack Method: SQL Injection

This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

References:


Select an Incident:

1999: 1999-1

2000: , 2000-1, 2000-2, 2000-3, 2000-4, 2000-5, 2000-6

2001: 2001-1, 2001-2, 2001-3, 2001-4, 2001-5, 2001-6

2002: 2002-1, 2002-2, 2002-3, 2002-4

2003: 2003-1, 2003-2, 2003-3, 2003-4, 2003-5, 2003-6, 2003-7, 2003-8, 2003-9

2004: 2004-1, 2004-10, 2004-11, 2004-12, 2004-13, 2004-14, 2004-15, 2004-16, 2004-17, 2004-18, 2004-2, 2004-3, 2004-4, 2004-5, 2004-6, 2004-7, 2004-8, 2004-9

2005: 2005-1, 2005-10, 2005-11, 2005-12, 2005-13, 2005-14, 2005-15, 2005-16, 2005-17, 2005-18, 2005-19, 2005-2, 2005-20, 2005-21, 2005-22, 2005-23, 2005-24, 2005-25, 2005-26, 2005-27, 2005-28, 2005-29, 2005-3, 2005-30, 2005-31, 2005-32, 2005-33, 2005-34, 2005-35, 2005-36, 2005-37, 2005-38, 2005-39, 2005-4, 2005-40, 2005-41, 2005-42, 2005-43, 2005-44, 2005-45, 2005-46, 2005-47, 2005-48, 2005-49, 2005-5, 2005-50, 2005-51, 2005-52, 2005-53, 2005-54, 2005-55, 2005-56, 2005-57, 2005-58, 2005-59, 2005-6, 2005-60, 2005-61, 2005-62, 2005-63, 2005-64, 2005-65, 2005-7, 2005-8, 2005-9, 2007-18

2006: 2006-1, 2006-10, 2006-11, 2006-12, 2006-13, 2006-14, 2006-15, 2006-16, 2006-17, 2006-18, 2006-19, 2006-2, 2006-20, 2006-21, 2006-22, 2006-23, 2006-24, 2006-25, 2006-26, 2006-27, 2006-28, 2006-29, 2006-3, 2006-30, 2006-31, 2006-32, 2006-33, 2006-34, 2006-35, 2006-36, 2006-37, 2006-38, 2006-39, 2006-4, 2006-40, 2006-41, 2006-42, 2006-43, 2006-45, 2006-46, 2006-47, 2006-5, 2006-6, 2006-7, 2006-8, 2006-9

2007: , 2007-01, 2007-02, 2007-03, 2007-04, 2007-05, 2007-06, 2007-07, 2007-08, 2007-09, 2007-10, 2007-11, 2007-12, 2007-13, 2007-14, 2007-15, 2007-16, 2007-17, 2007-19, 2007-20, 2007-21, 2007-22, 2007-23, 2007-24, 2007-25, 2007-26, 2007-27, 2007-28, 2007-29, 2007-30, 2007-31, 2007-32, 2007-33, 2007-34, 2007-35, 2007-36, 2007-37, 2007-38, 2007-39, 2007-40, 2007-41, 2007-42, 2007-43, 2007-44, 2007-45, 2007-46, 2007-47, 2007-48, 2007-49, 2007-50, 2007-51, 2007-52, 2007-53, 2007-54, 2007-55, 2007-56, 2007-57, 2007-58, 2007-59, 2007-60, 2007-61, 2007-62, 2007-63, 2007-64, 2007-65, 2007-66, 2007-67, 2007-69, 2007-70, 2007-71, 2007-72, 2007-73, 2007-74, 2007-75, 2007-76, 2007-77, 2007-78, 2007-79, 2007-80, 2007-81, 2007-82, 2007-83, 2007-84, 2007-85, 2007-86

2008: , 2008-01, 2008-02, 2008-03, 2008-04, 2008-05, 2008-06, 2008-07, 2008-08, 2008-09, 2008-10, 2008-11, 2008-12


This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
 
© Copyright 2005, Web Application Security Consortium. All rights reserved.