SQL Injection is one of the most common security vulnerabilities on the web and is successful only when the web application is not sufficiently secured.
Recently a hacking Group named 'TeamBerserk' claimed on Twitter that, they have stolen $100,000 by leveraging user names and passwords taken from a California ISP Sebastian (Sebastiancorp.com)to access victims' bank accounts.
A video proof
was uploaded on the Internet, shows that how hackers used a SQL
injection attack against the California ISP Sebastian to access their
customers' database includes e-mail addresses, user names and clear
text passwords and then using the same data to steal money from those customers.
Let's see what SQL Injection is and how serious an attack like this actually can be.
SQL Injection is a type of web application
vulnerability in which the attacker adds Structured Query Language
(SQL) code to web inputs to gain access to an organization's resources.
Using this technique, hackers can determine the structure and location
of key databases and can download the database or compromise the database server.
Hackers took just 15 minutes to hack into the website using SQLmap
(Automated SQL Injection Tool) -- stole customers' database and then
immediately accesses the victim's Gmail account, linked PayPal accounts
and Bank accounts also.
It's so hard to remember multiple passwords, some people just use the
same one over and over. Is your Facebook password the same as your
Twitter password? How about the password for your bank's website?
Now the hack explains that this us why it's extremely dangerous to use
the same password on more than one Web site. In the POC video, hacker
randomly chooses one Sebastian username and his relative password
against Paypal, Gmail and even Citibank account logins and seriously
that actually worked, because the victim is using the same passwords for
all websites.
Now that you've control of the
situation, don't let this happen again! If you have a bank account, a
few credit cards, and several other important sensitive accounts,
conduct a thorough security audit on them. Be sure that you know when
you last logged in. Be sure to keep using different and Strong passwords
for each website.
complete article Ref: http://thehackernews.com/2013/10/hacker-stole-100000-from-users-of.html
No comments:
Post a Comment