Imperva, a Web security firm, took a look at the most discussed hacking techniques during the month of October and analyzed one of the largest hacker forums and other smaller outlets. According to the research, there’s cause for concern given that security services aren’t focused enough on many of the new trends in hacking that Imperva has uncovered.
Both newbies and elite hackers are thriving in online communities that revolve around teaching and talking about hacking the Web. At the same time, security professionals are looking for these perpetrators in all the wrong places. “There’s a mismatch between what hackers are doing and what security professionals are doing,” Rob Rachwald, Director of Security Strategy at Imperva tells us.
What Imperva found was an increase in conversations about SQL injections, which tied DDoS as the most discussed topics in these hacker forums. Rachwald says the company scraped 19 forums, and that the largest hacker forum that Imperva scraped keywords from hosts 250,000 users. We asked him what site it was, although he declined to name names — but judging from the screenshots published in the report, and thanks to some personal lurking on the forum, we’re certain that the site is Hackforums.net.
You can compare the screen shot provided below with the forum’s website for yourself:
SQL injections specifically are an alarming trend that few security professionals are recognizing. “Ironically, of the $25 billion spent on software security, we believe this means less than five percent of security budgets is allocated to products that cannot even recognize SQL injection attacks – let alone stop them,” the report states. DDoS is not surprisingly a popular method as it’s a relatively elementary tactic popularized by none other than Anonymous. On a mass scale, it has been extremely effective as each “hacker” can simply press a button on downloaded software to send a denial-of-service attack to take down Websites.
On the other hand require, SQL injections require knowledge of SQL code not intended to be run that a hacker can input to retrieve pieces of data from a website. But despite the complexity of the technique, there’s been a noticeable increase in the conversation around them, which Imperva picked up on. So where does this sudden interest come from? “Anonymous has brought hacking to the forefront of people’s minds and it’s potent,” Rachwald explains. He adds that there are people with a lot of time on their hands to learn the ropes.
There also financial motivation. If you’ve visited a hacking site in the past like Hackforums.net, the forum is a hub for conducting transactions from hacked Twitter accounts, to AMAs and Q&As by hackers, and even tutorials for beginners. Of course there are also plenty of hackers looking for their next job, offering to hack email, IM, social media, and other Web accounts. Not everyone is like Anonymous: Some are in it to make a living, not just for the lulz.
SQL injections take this a step further by giving hackers unprecedented access to the very private data, like bank accounts and social security numbers. “Data has value in black markets. There’s a financial system in place that supports the theft of data,” says Rachwald, meaning that the community is focusing on making money from their hacking exploits. There are many forum topics on “Making Money,” where threads are populated by users exchanging ideas on how to make their next quick buck. Rachwald points out the latest highly publicized SQL injection attack in South Carolina that exposed the Social Security numbers of the attack’s victims.
SQL injections aren’t the only trending topics of discussion in hacker oriented forums. Social networks are becoming increasing vulnerable to attacks, while “E-whoring,” or “the practice of selling pornographic content, while pretending to be the person, usually a female” is becoming more of nuisance.
For instance, last year scammers were “selling” luxury cars on a website and illicitly gained credibility by adding hundreds of thousands of followers on the website’s Facebook page. Potential shoppers would assume that due to the volume of “Likes,” the company was legitimate. In reality, the scammers were purchasing likes and selling cars online that never existed in the first place.
The report should be concerning considering that learning the ropes of SQL injections, DDoS, social media scams, and hundreds of other strategies can be done by anyone with access to the Internet. It’s beyond easy to get your hands on manuals for elementary guides to SQL injections, and various other hacking strategies that these communities are more than willing to share. Unfortunately for the security side, Rachwald says, they’re investing their efforts in all the wrong places to combat the growing popularity of new and innovative hacks.