It’s stunning to see how many website are still vulnerable to SQL Injection attacks. Many SQL Injection worms are circulating right now and are dropping malicious code in thousands of databases. Even major sites are vulnerable to this type of attack. BusinessWeek, the world-class magazine, was a victim of this kind of attack last September.
From the article at Net-Security:
Folks from Sophos have discovered that the website of BusinessWeek, the world famous weekly magazine, has been attacked by hackers in an attempt to infect its readership with malware.
Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server.
At the time of writing, the code injected into BusinessWeek’s website points to a Russian website that is currently down and not delivering further malicious code. However, it could be revived at any time, infecting hundreds of MBA students looking for high-earning jobs. Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.
This goes to show you that, if you are the developer of an internet facing website (or an intranet for that matter), you need to commit yourself to enhance it’s security against these kind of threats. Everyone should adopt secure coding practices as there is no site that will be spared. More and more we will see automated SQL Injection attacks using crawlers, worms and bots and.