The fake scan that surfers saw when exposed to the hack, graphic courtesy of Sophos.
The most common variety of the hack is a direct insertion of code into a place where a user inputs information. That gives hackers an opportunity to inject SQL commands that are executed blindly by the server.
Video game fans surfing on the Playstation Web site were subjected to a pop-up window that displayed a fake virus scan running, followed by a message their computer was ridden with viruses and Trojans. Then the surfer is offered a fake anti-virus software package for a fee.
Hackers could alter the malicious payload to be even worse, according to Sophos. The attacks are often used to collect personal information in identity theft scams, or to recruit more computers onto a botnet.
SQL injection is an "extremely effective" method of attack that can be easily hidden in the nooks and crannies of Web code, Cluley says. The problem lies with a lack of rigorous checking of code by the administrators affected.
"If they're not doing proper checking, hackers can start to embed and inject code into their database," the consultant explains. "[The database] ends up peppered with small pieces of code calling up third-party Web sites."
Such attacks have become so pervasive that Microsoft responded to the SQL Server user community last week with two free tools and a security advisory to help Web admins safeguard against SQL injection.
Here are the tools and tips passed on by Microsoft and Bourne:
Detect: Hewlett Packard has developed a free scan that can identify whether a Web site is susceptible to SQL injection attacks. HP Scrawlr can be downloaded at the HP Security Center.
Test: Canada-based company Security Compass has a suite of plug-in tools that can be used with the Firefox browser. Web developers have the convenience of looking for SQL injection vulnerabilities with the click of a button. Download SQL Inject-Me.
Defend: Scrutinize more carefully the HTTP requests being made by SQL commands on a Web site. A Microsoft security tool will allow you to put restrictions on what the Internet Information Services will process from the server. It could block harmful requests from ever getting to the Web application. Download URLScan Tool 3.0 Beta.