SQL Injection Attacks Rise as Hackers Go for the Money

Hacking used to be a much more honorable ‘profession’ back in the good old days, when spotty-faced teenage geeks would compete with each other to see how many websites they could deface with flashing messages like “H@X0rs Rulez”.

But those days are long gone, and hacking has become an altogether shadier activity, with one goal in mind – to make steal data and use it to make money.

This much is clear following a huge increase in the number of SQL injection attacks on websites today, as reported by FireHost last month.  According to the web hosting provider, the number of such attacks on its client’s websites rose by a staggering 69% in the last three months.

Hackers are able to obtain secure data including passwords and extremely valuable credit card information from websites by using a false SQL database to input commands into its interface, and according to FireHost they are quickly becoming the professional hacker’s weapon of choice.

FireHost revealed that while cross-site scripting and directory traversal attacks (both of which are considered to be ‘easier’ to perform) remain the most popular methods of gaining access to secure data, SQL injection is fast catching up, with the number of instances jumping from 277,770 confirmed attacks in the first quarter of this year, to 469,983 in the second quarter.

Despite being harder to pull off, SQL injection attacks have the potential to cause havoc when the hackers do succeed, often grabbing headlines for the sheer number of users they can harm, such as when 450,000 Yahoo Voices passwords were compromised last month, or when LuzSec hacked into Sony in June.

Another big issue with SQL injections is that they are very hard to detect – unless they’re advertised – meaning that hackers can very often obtain credit card data and steal money, and the victims will never know how it happened.

RELATED:  Mr. Robot is still the show of our times: Here’s how we think Season Two will play out

FireHost warns that the number of SQL attacks is likely to rise, and so the responsibility falls of the shoulders of webmasters to ensure that they do not become a victim. Attacks are not easy to detect, but there are a number of warning signs that webmasters can look out for, including a high incoming request rate, suspiciously high levels of traffic from unexpected countries (like China, Indonesia etc), and also ‘fingerprints’ such as specific strings in generated SQL fragments used in SQL injection, which are left behind in traffic records following an attack.

Blocking attacks isn’t easy, but it’s becoming clear that hacking simply to deface a website is no longer the main motive, and any website that falls victim to this kind of attack could easily see its credibility destroyed.

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email Mike@SiliconANGLE.com.


Join our mailing list to receive the latest news and updates from our team.


  1. OP: “Hacking used to be a much more honorable ‘profession’ back in the good old days, when spotty-faced teenage geeks would compete with each other to see how many websites they could deface with flashing messages like “H@X0rs Rulez”.”
    I -resent- resemble that remark.

  2.  @rizzn  Same here, I know that I long left dead and beaten the cracker/hacker argument in my mind way back when; but I still do recall the sound and fury between the underground about the difference between someone who studied, engineered, and carefully infiltrated security vs. “skriptkiddies” who just took the tools built by others and ran them from their command line for effect.
    Of course, everything felt a lot more niche then — and the idea of state-sponsored hackers seemed like it would be something from a thriller movie or a science fiction novel.
    Now our science fiction is today.

  3. Great article. What’s amazing is that even though SQL Injection is one of the most well understood attacks, the number of successful SQLi attacks is still increasing at an alarming rate.
    Many people have found these resources helpful from @ntobjectives. There is a one-page SQL Injection cheat sheet that includes the attack strings and commands as well as default usernames and passwords for the five most common databases (Oracle, MySQL, PostgreSQL, MS-SQL and DB2). http://www.ntobjectives.com/go/sql-injection-cheat-sheet/
    They also have a free tool, SQLInvader will help users quickly and easily exploit or demonstrate SQL Injection vulnerabilities in web applications. 

  4. This really is this type of great resource that you’re supplying Why Is visit how to pass and also you provide away free of charge. I really like seeing websites that understand the need for supplying an excellent resource free of charge. Thank you for this excellent resource !

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!