In 2008, web attackers unleashed a new type of SQL injection attack that successfully compromised more than 500,000 web sites, according to the Web Hacking Incidents Database (WHID) 2008 Annual Report. Marking a major event for the web application security landscape, the report found that SQL injection attacks planting malware on target web sites was the number one security attack for online criminals last year.

The WHID 2008 report also noted a shift in attack methodology in which hackers focused more on a web site’s large customer base in 2008, instead of targeting sensitive information within the web site’s database. This attack method turns a web site into a malware launching point when legitimate users visit the site. The report highlights one important factor – the unknown. Twenty-nine percent of the incidents were reported without specifying the attack method. This lack of attack vector confirmation may be attributed to a combination of two main factors: lack of visibility of web traffic and resistance to public disclosure.

The 2008 WHID report identified multiple hacking-for-profit mechanisms. In fact, 19 percent of attacks were aimed at stealing personal information. Traded easily on the Internet, personal records are the easiest virtual commodity to exchange for money. In addition, the report found that criminals also exploited web sites for financial gain via planting malware and phishing, which comprised 16 percent and 5 percent of attacks in 2008, respectively.

The WHID report found that financial gain is not the only motivation for online attacks. The number one attack goal in 2008 was web site defacement. Used primarily to target political parties, candidates and government departments, ideologists often defaced a web site with a very specific message related to a campaign.

Corresponding with the ideology driven defacement noted in 2008, the WHID report also found that “Government, Security and Law Enforcement,” at 32 percent, was the top vertical market targeted by attackers. Internet-related organizations topped the list on the commercial side, including retail shops comprising mostly e-commerce sites, media companies and pure internet services such as search engines and service providers. In addition, financial institutions rose sharply in 2008 moving up to fourth place.

“The 2008 WHID report findings prove that no company or market sector is immune from attack. Even organizations with no financial data to lose can become victims of defacement,” said Ryan Barnett, WASC Member and WHID Project Leader. “The rules of web application security are changing and a top-ranked web application security provider can protect organizations against the latest threats to their online security.”

Download the full report