A US grand jury this week indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers.
Gonzalez, is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit cards from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Companies Inc. Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.
Court documents filed in connection with Monday's indictment spelled out how Gonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailer's networks.
In SQL injection attacks, malicious hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online.
An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide an SQL injection opportunity.
The vulnerability is well understood and security analysts have warned retailers about it for several years. Yet, a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites these days.
"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that does security and compliance assessments for some of the largest retailers in the world. "Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, he said.
Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode Inc., a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, Wysopal said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.