'BusinessWeek' site hacked in potential malware attack

Updated at 2:25 p.m. PDT with "BusinessWeek" comment.

Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, a security researcher said on Monday.

It's unclear how long the site has been compromised and there is no evidence that BusinessWeek.com readers have been affected, but also no evidence that they haven't, said Graham Cluley, senior technology consultant at Sophos.

The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek Web site, he said. The executable code in the database links to a Web site with a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.

The Russian Web site is offline right now, but could be put back online at any time, according to Cluley.

The malware was found to be on a section of the BusinessWeek site that offers information about the top companies that recruit from particular MBA programs, he said. The attack would not only put visitors to that section at risk, but also their employer if the computer they are using has corporate data on it, he said.

Sophos contacted BusinessWeek about the security problem last week, but the malicious code is still in the site's database, Cluley said.

A BusinessWeek spokeswoman provided this comment: "Online security is a top priority and, while we continue to investigate the matter, we are confident that our readers' personal information has not been compromised. The attack affected only one application within a specific section of our Web site and that application has been removed. We continue to work to ensure the integrity of our site and to protect it from future illegal and malicious hacking activity."

SQL injection attacks are on the rise primarily because they work; they target Web sites that computer users trust and the attack is stealth so victims usually don't know their computer has been compromised.

Google's Blogger was cited by Sophos this summer as the top malware host site. Sony's PlayStation site was targeted recently and 70,000 sites were found to have been compromised by a massive SQL attack earlier this year.

"SQL injection attacks have been the story of 2008," Cluley told CNET News. "This is one of the major security problems affecting the Internet today. We discover a new infected Web page every five seconds. That's three times worse than the rate last year."

Typically, organized crime gangs are behind the attacks, attempting to snag bank data to use for identity fraud, he said. They sell credit card and bank account numbers and passwords on underground forums and auction sites. Buyers use the data for online transactions or to create fake credit cards.

Cluley has more details and a video explaining the attack on his blog.

[Penguinisto]

1) Sanitze your data inputs.

2) Sanitize your data inputs.

3) See 1 and 2.

[mbenedict]

Wrong answer Penguinsto.

Developers write more and more sophisticated sanitizing code yet hackers keep on finding more clever ways to bypass them. We've gone from simple filtering to blacklisting to whitelisting to blacklisting again and (now) back to whitelisting again as the "latest" buzzword.

Yet if application simply used binding variables in Prepared Statements, for example, then 99.999% of these SQL Injection issues would have been solved even with no input validation.

But a lot of developers don't even know what Prepared Statements are or how to use them, which just boggles my mind.

Penguinisto's glib answer also reveals another key security concept developers just don't get: defense in depth. They keep using the same sanitizing routines everywhere, without thinking that once ONE routine is bypassed, the ALL of them are effectively bypassed.

[The_Decider]

SQL injection is just as easy to avoid as buffer overflows. To this day security is not focused on that much in school and even less in interviews. These "programmers" (API monkeys is more accurate) think that managed code will save them so continue to ignore security. Most, not all, security flaws could have been avoided if the programmer had real training in security and that the companies that hire them enforce security best practices as rabidly as they enforce where to put curly braces.

The only thing that these attacks prove is that too many unqualified people write software for a living. It is time to license programmers and hold them and their companies responsible for their errors. Software writers and companies don't care because the public has let them evade responsibility.

Yes, I can say this even though I am a graduate computer science student who writes lots of production code but mainly am focused on networks and security. Getting paid to hack into systems and abuse their employees via social engineering > programming.