Hackers Hit BusinessWeek With Malware

BusinessWeek.com, which just last week publicly launched Business Exchange, a kind of social network for readers and industry leaders, has been hit by a SQL injection attack.

Security software vendor Sophos discovered the vulnerability and notified BusinessWeek.

Graham Cluley, senior technology consultant for Sophos, wrote on his blog that hackers tried to infect readership that used part of the site with malware.

“Hundreds of pages on a part of BusinessWeek’s website which offers information about where MBA students might find future employers have been struck by the SQL Injection attack – where a security vulnerability is exploited in order to insert malicious code into the site’s underlying database,” the post said.

Gluley told InternetNews.com that hackers are focusing on SQL injection attacks because “they want to take over your desktop, and companies are protecting their e-mail now, so the other way to get to your desktop is through the browser.”

SQL injection attacks, the most common form of hacker attacks, exploit vulnerabilities on a Website to insert malicious code into the database behind the Website. In BusinessWeek’s case, that code would lead users to a Russian Web site from which malware could be downloaded.

For its part, BusinessWeek.com was tight-lipped about its response, saying only that the malicious application was removed.

“Online security is a top priority and, while we continue to investigate the matter, we are confident that our readers’ personal information has not been compromised,” BusinessWeek spokesperson Patti Straus said in an e-mailed response to requests for comment. She said the attack affected only one application within a specific sector of the Web site.

“We continue to work to ensure the integrity of our site and to protect it from future illegal and malicious hacking activity,” Strauss added.

Getting rid of the link is not enough, Cluley said. “It’s easy to remove the malicious links, but BusinessWeek has to look at their infrastructure and work out how the attackers managed to hack their code or the chances are that, within a number of hours, the site will get reinfected.”

Google Safe Browsing’s diagnostic page for BusinessWeek.com showed that 214 of the 2,157 pages tested on the site downloaded and installed malware on the visitor’s desktop without the user’s consent. However, the problem seems to have been resolved, as Google Safe Browsing’s page said the last time suspicious content was found on this site was on September 11.

Google’s Safe Browsing extension is built into the Google Toolbar and integrated into Mozilla Firefox 2.0. It validates URLs against a frequently updated list of known phishing URLs.

On September 8, BusinessWeek launched Business Exchange, a social network of sorts, which Keith Fox, its president, described as “a clear and unique step into the future of the media industry.” Apart from carrying content from the magazine’s staff, it will pull in aggregated content from other sites, including articles, white papers and videos.

The site lets visitors connect with industry leaders and BusinessWeek staff and other professionals to discuss various issues online. It will also let LinkedIn users access and leverage their personal information using their existing LinkedIn profiles. LinkedIn facilitates professional networking.

Business Exchange is headed by Roger Neal, senior vice president and general manager, who joined the company in 2006 after working with AOL and eBay and founding a company, Productopia, which was a casualty of the dot-com bust in 2000.

How could a site developed by a historied publication with oodles of money and headed by someone with 12 years’ experience with pure Internet companies run into trouble like this? Simple — someone somewhere did not check the code thoroughly, Sophos’s Cluley said.

“Like building any software, you need proper code review,” Cluly added. “SQL injection is becoming such a common hacking technique that any Website developer should be aware of this,” Cluly said.

When this type of attack succeeds against a large organization like BusinessWeek, it is “embarrassing, and shows they haven’t properly hardened their Website,” Cluly said, speculating that the attackers might have come in through a form on the BusinessWeek site which was not properly protected.

According to Cluley, 16,000 Web pages are infected every day, which works out to one every five seconds. Hackers use search engines to locate sites with vulnerabilities, and it was “unfortunate” that they picked up BusinessWeek’s site, he added.

News Around the Web