As reported by The Register IT news portal, a number of smaller websites have been hacked using an SQL injection attack method that attempts to obfuscate links to malware infected pages. The hack apparently also affected two Apple websites that are used to promote its iTunes podcasts.
Other than the Apple sites, the news service says that at least 538 000 “mom-and-pop” websites have been victimized by the hack, in addition to 500 000 more that appear quite similar but lead to different domains.
The attack takes advantage of web-based application vulnerabilities, which often do not differentiate between legitimate search queries and intentional attacks via malicious code.
The Register reported that the malware-infected links have been removed from the Apple pages since Google last indexed its search page earlier this month.
The attack underlines the need for companies to go the extra mile and secure external web-facing applications said Rob Horton, the operational director of security testing consultant NCC Group.
“The complexities of SQL mean that there are a number of techniques that attackers can use to bypass filters and application firewalls, as seen in this instance”, Horton added. “Relying on these alone is not enough, and the best defense is to ensure that the underlying application is sufficiently robust.”