How did an Austrian teenager who's confessed to hacking nearly 260 websites in a three-month period do it? Simple: By using state-of-the-art, highly automated tools designed for testing vulnerabilities, or, in the hands of an attacker, taking advantage of them.
"What makes the Austrian incident interesting is the speed and effectiveness of the hacks," said Rob Rachwald, director of security strategy at Imperva, in a blog post. "How was it achieved? Automation."
When it comes to online exploits, automation can be an attacker's best friend. Indeed, crimeware toolkits such as SpyEye and Zeus have enabled people with minimal computer experience to profit handsomely from cybercrime. That's because the tools automate the otherwise laborious process of creating hard-to-spot malware designed to find and steal sensitive personal information such as bank account numbers and passwords and to press infected PCs into the service of a botnet.
[ It's more important than ever to be proactive about security. See Security Practices From The Front Lines. ]
Now, similar levels of automation are being applied to create more advanced website hacking tools. "Automated hacks are not new. However, recently, we have noticed increased sophistication," said Rachwald. That's especially true, he said, when it comes to tools for exploiting SQL injection flaws, as well as for local and remote file inclusion (LFI/RFI) attacks. Notably, an Imperva study of attacks against 40 Web applications in the second half of 2011 found that 21% used RFI/LFI.
According to Rachwald, greater attack tool sophistication can create worrisome attack volume capabilities. "Automation is a key indicator that someone wishes to achieve an economy of scale," he said.
For example, consider the Austrian hacker, whom police said has admitted to exploiting 259 sites in 90 days, hacking an impressive average of three websites hacked per day. Mag Loschl Leopold, director of Austria's Office of Federal Crime, said in a statement that the teenager had conducted website reconnaissance to catalog bugs in Web applications and Internet-connected databases, then returned to those sites to exploit them. News reports said he appeared to be participating in a website contest that ranked hackers based on their exploits, and that he also defaced some exploited sites with pro-Anonymous messages.
How can companies defend themselves against hacktivists, criminals, or anyone else wielding automated website attack tools? For starters, they can devote more of their security budget to finding SQL injection flaws as well as LFI/RFI vulnerabilities and cross-site scripting errors.
In fact, those were the three attack techniques most favored by the LulzSec gang during its 2011 website exploit spree, according to leaked LulzSec IRC chat logs.
Automated attacks may also display telltale signs that organizations can use to help spot and block such attacks while they're in progress. According to a report from Imperva released this week, many SQL injection attacks stand out due to their rate of attack, since through automation they'll be operating at "inhuman speeds." In addition, some attacks lack--or use non-standard--HTTP headers, so businesses should treat these with suspicion.
Two popular SQL injection testing tools--which are also used to attack websites--actually announce their presence. For example, the popular SQL injection tools sqlmap and Havij send requests with a user agent containing "sqlmap" and "Havij", respectively, according to Imperva's report. Interestingly, Imperva said that in a review of the SQL injection attacks it saw in the first three months of 2012, 4.6% listed "sqlmap" in the HTTP User-Agent header field, while 3.8% listed "havij".
Finally, unlike targeted attacks, automated attacks tend to be launched against a large number of sites over a short period of time, meaning that better attack intelligence and information sharing could help organizations spot these types of attacks as they're happening.
At a time when cybercrime has never been more prolific and sophisticated, budgets are being cut. In response, IT is taking a hard look using third-party services--outsourcing--to meet security challenges. Our Making The Security Outsourcing Decision report outlines the various security outsourcing options available. (Free registration required.)