SQL attacks lobs onto pro tennis site
- 02 July, 2008 11:52
Visitors to the Association of Tennis Professionals Web site have potentially been infected with spyware after apparent lax security allowed a malicious script to be injected across its pages.
The SQL injection attack acts as a conduit for spyware and trojans to be downloaded to victims' machines.
While the manner of attack is nothing new, Microsoft's Technet warned it has detected an increase in the type of attack on Web sites using Microsoft ASP and ASP.NET.
It attributes the vulnerability to poor Web application security practices, rather than product flaws.
"These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," the site reads.
"When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine."
Sophos principal virus researcher Fraser Howard said the attack, which commenced in June, sought to capitalise on the popularity of this year's Wimbledon grand slam.
"The hackers responsible for this attack don't care what sites they infect, so long as there is a stream of potential victims likely to surf across the Net, straight into their trap. The ATP website is just one of many sites to have been exploited by hackers trying to steal information from innocent internet users," Howard said.
"With the Wimbledon tournament taking place at the moment, the ATP website will be receiving a spike in visitors - but any tennis fan visiting the infected pages on the site risks being served straight into a crook's criminal racket."