What is a SQL injection attack?
You may not know what a SQL injection (SQLI) attack is or how it works, but you definitely know about the victims. Target, Yahoo, Zappos, Equifax, Epic Games, TalkTalk, LinkedIn, and Sony Pictures—these companies were all hacked by cybercriminals using SQL injections.
A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web applications for the purpose of stealing, deleting, or modifying data, or gaining administrative control over the systems running the affected applications.
Cybersecurity researchers regard the SQLI as one of the least sophisticated, easy-to-defend-against cyberthreats. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway, citing the fact that SQLI is a known, predictable attack with easily implemented countermeasures. SQLI attacks are so easy, in fact, attackers can find vulnerable websites using advanced Google searches, called Google Dorking. Once they've found a suitable target, SQLI attackers can use automated programs to effectively carry out the attack for them. All they have to do is input the URL of the target site and watch the stolen data roll in.
And yet SQLI attacks are commonplace and happen every day. In fact, if you have a website or online business, cybercriminals have likely tried using the SQLI to try and break into your website already. One study by the Ponemon Institute on The SQL Injection Threat & Recent Retail Breaches found that 65% of the businesses surveyed were victims of a SQLI-based attack.
Frequently targeted web applications include: social media sites, online retailers, and universities. Small-to-medium sized businesses are especially vulnerable as they are often not familiar with the techniques cybercriminals use in a SQLI attack and, likewise, don't know how to defend against such an attack.
With that, let's take the first step in defending against a SQL injection by educating ourselves on the topic. Here's your primer on SQL injections.
“A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web applications for the purpose of stealing, deleting, or modifying data, or gaining administrative control over the systems running the affected applications.”
How does a SQL injection work?
Developed in the early 70s, SQL (short for structured query language) is one of the oldest programming languages still in use today for managing online databases. These databases contain things like prices and inventory levels for online shopping sites. When a user needs to access database information, SQL is used to access and present that data to the user. But these databases can also contain more sensitive and valuable data like usernames and passwords, credit card information, and social security numbers. This is where SQL injections come into play.
Put simply, a SQL injection is when criminal hackers enter malicious commands into web forms, like the search field, login field, or URL, of an unsecure website to gain unauthorized access to sensitive and valuable data.
Here's an example. Imagine going to your favorite online clothing site. You're shopping for socks and you're looking at a Technicolor world of colorful socks, all available with a click of your mouse. The wonders of technology! Every sock you see exists in a database on some server somewhere. When you find a sock you like and click on that sock, you're sending a request to the sock database, and the shopping site responds with the information on the sock you clicked. Now imagine your favorite online shopping website is constructed in a slipshod manner, rife with exploitable SQL vulnerabilities. A cybercriminal can manipulate database queries in such a way that a request for information about a pair of socks returns the credit card number for some unfortunate customer. By repeating this process over and over again, a cybercriminal can plumb the depths of the database and steal sensitive information on every customer that's ever shopped at your favorite online clothing site—including you. Taking the thought experiment even further, imagine you're the owner of this clothing site. You've got a huge data breach on your hands.
One SQLI attack can net cybercriminals personal information, emails, logins, credit card numbers, and social security numbers for millions of consumers. Cybercriminals can then turnaround and sell this personal info on the gloomiest corners of the dark web, to be used for all kinds of illegal purposes. Stolen emails can be used for phishing and malspam attacks. Malspam attacks, in turn, can be used to infect victims with all kinds of destructive malware like ransomware, adware, cryptojackers, and Trojans (e.g. Emotet), to name a few. Stolen phone numbers for Android and iOS mobile devices can be targeted with robocalls and text message spam.
Stolen logins from social networking sites can even be used to send message spam and steal even more logins for additional sites. Malwarebytes Labs previously reported on hacked LinkedIn accounts being used to spam other users with InMail messages containing bad URLs spoofed, or faked, to look like a Google Docs login page by which cybercriminals could harvest Google usernames and passwords.
“A cybercriminal can manipulate database queries in such a way that a request for information about a pair of socks returns the credit card number for some unfortunate customer.”
What is the history of SQL injections?
The SQL injection exploit was first documented in 1998 by cybersecurity researcher and hacker Jeff Forristal. His findings were published in the long running hacker zine Phrack. Writing under the moniker Rain Forest Puppy, Forristal explained how someone with basic coding skills could piggyback unauthorized SQL commands onto legitimate SQL commands and pull sensitive information out of the database of an unsecured website. When Forristal notified Microsoft about how the vulnerability impacted their popular SQL Server product, they didn't see it as a problem. As Forristal put it, "According to them [Microsoft], what you're about to read is not a problem, so don't worry about doing anything to stop it."
What makes Microsoft's lackadaisical response so shocking is many industries and institutions seriously depended (then and now) on the company's database management technology to keep their operations running, including retail, education, healthcare, banking, and human resources. This leads us to the next event in the SQLI history timeline—the first major SQLI attack.
In 2007, the biggest convenience store chain in the United States, 7-Eleven, fell victim to a SQLI attack. The Russian hackers used SQL injections to hack into the 7-Eleven website and use that as a stepping stone into the convenience store's customer debit card database. This allowed the hackers to then withdraw cash back home in Russia. All told, the culprits made off with two million dollars, as Wired magazine reported.
Not all SQLI attacks are motivated by greed. In another noteworthy example from 2007, cybercriminals used SQLI to gain administrative control over two US Army-related websites and redirect visitors to websites with anti-American and anti-Israeli propaganda.
The 2008 MySpace data breach ranks as one of the largest attacks on a consumer website. Cybercriminals stole emails, names, and partial passwords of almost 360 million accounts. And this is why we don't reuse passwords from one site to the next.
The title for most egregious lack of security goes to Equifax. The 2017 Equifax data breach yielded extremely personal information (i.e., names, social security numbers, birth dates, and addresses) for 143 million consumers. For an organization that acts as the gatekeepers of information for every single American, except those living off the grid, you'd think they would take precautions against a basic SQLI attack. Before the data breach occurred, a cybersecurity research firm even warned Equifax they were susceptible to a SQLI attack, but the credit bureau took no action until it was too late.
In what ranks as the creepiest hack in history, a 2015 SQLI attack on toy manufacturer Vtech led to a breach of nearly five million parents and 200,000 children. Speaking with Motherboard, the online multimedia publication, the hacker responsible claimed they had no plans for the data and did not publish the data anywhere online. Conversely, the hacker also explained that the data was very easy to steal and someone else could have gotten to it first. Cold comfort indeed.
Moving forward to today, the SQLI attack is still a thing. Every three years the Open Web Application Security Project (OWASP) ranks the Top 10 Most Critical Web Application Security Risks. In the most recent 2017 edition, the SQLI attack ranked as number one.
Beyond the longevity of the SQLI attack, what's interesting is that SQLI attacks haven't changed or evolved in any way. SQLI attacks work and will continue to work until people change their attitudes about cybersecurity. Be that change.
News on SQL injections
- What is a honeypot? How they are used in cybersecurity
- Interview with a bug bounty hunter: Youssef Sammouda
- A zero-day guide for 2020: Recent attacks and advanced preventive techniques
- Vulnerabilities in financial mobile apps put consumers and businesses at risk
- How to secure your content management system
- Explained: SQL injection
- OWASP top ten – Boring security that pays off
- The top 5 dumbest cyber threats that work anyway
How do SQL Injections affect my business?
As reported in our Cybercrime Tactics and Techniques report, cyberattacks (of all kind) on businesses went up 55% in the second half of 2018, while attacks on individual consumers rose only 4%. The stats are not surprising. Businesses with crummy security present criminals with a soft target, holding a treasure trove of valuable data worth millions.
Conversely, a business at the center of a data breach can expect to pay out millions. An IBM study found the average cost of a data breach, including remediation and penalties, to be $3.86 million. The LinkedIn data breach mentioned previously ended up costing the business networking site $1.25 million in an out-of-court settlement.
After their data breach, Target was forced to pay the largest amount on record—$18.5 million—to settle investigations brought on by multiple states. This was in addition to the $10 million Target paid to settle a class action lawsuit brought on by consumers.
Granted, these are huge data breaches affecting millions of consumers. However, small-to-medium sized businesses can still expect to payout $148 for each stolen consumer record.
The moral of the story? Take your security seriously and avoid being a "Target" for cybercriminals.
How can I protect against SQL injections?
All this hand wringing aside, you're here because you know SQL injections are a serious threat. Now, let's do something about it. Here's some tips for protecting your business against SQL injection attacks.
Update your database management software. Your software is flawed as it comes from the manufacturer. This is a fact. There's no such thing as bug-free software. Cybercriminals can take advantage of these software vulnerabilities, or exploits, with a SQLI. You can protect yourself by just patching and updating your database management software.
Enforce the principle of least privilege (PoLP). PoLP means each account only has enough access to do its job and nothing more. For example, a web account that only needs read access to a given database shouldn't have the ability to write, edit or change data in any way.
Use prepared statements or stored procedures. As opposed to dynamic SQL, prepared statements limit variables on incoming SQL commands. In this way, cybercriminals can't piggyback malicious SQL injections onto legitimate SQL statements. Stored procedures similarly limit what cybercriminals are able to do by storing SQL statements on the database, which are executed from the web application by the user.
Hire competent, experienced developers. SQLI attacks often result from sloppy coding. Let your software developers know in advance what you expect as far as security is concerned.
What if my personal information was stolen in a data breach? You should take a look at our data breach checklist. There you'll learn all about cleaning up and staying safe after a SQLI attack data breach impacts you.
Visit OWASP. The Open Web Application Security Project, OWASP for short, is the leading authority on web applications and they have lots of additional reading on how to prevent SQL injections.
And if you just can't get enough SQL injection in your life, visit the Malwarebytes Labs blog for all the latest happenings in the world of cyberthreats and cybersecurity.