Repubblica.it (the second largest circulation Italian daily newspaper) interviewed Matteo Meucci (OWASP-Italy chair) on the large-scale SQL injection attack that hit hundred thousand Websites from the last 10th december, injecting malicious iFrames to install a backdoor Trojan on the user clients.
Read the article.
It's very important to outline that SQL Injection attacks can be used directly to steal credit card data if the affected site is an e-commerce site.
ReplyDeleteMany online shops have the payment gateway configurations stored inside the database. An attacker could modify these information via SQL injection of course and then route the billing requests to his evil payment proxy. Hey, this is not a Phishing Attack, just a trick to transparently sniff the user data.