In 2013 we have seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using various techniques including DDoS attack, SQL injection, DNS Hijacking and Zero-Day Flaws.
SQL Injection is one of the most common security vulnerabilities on the web and is successful only when the web application is not sufficiently secured.
Recently a hacking Group named 'TeamBerserk' claimed on Twitter that, they have stolen $100,000 by leveraging user names and passwords taken from a California ISP Sebastian (Sebastiancorp.com)to access victims' bank accounts.
A video proof was uploaded on the Internet, shows that how hackers used a SQL injection attack against the California ISP Sebastian to access their customers' database includes e-mail addresses, user names and clear text passwords and then using the same data to steal money from those customers.
Let's see what SQL Injection is and how serious an attack like this actually can be.
SQL Injection is a type of web application vulnerability in which the attacker adds Structured Query Language (SQL) code to web inputs to gain access to an organization's resources. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.
Hackers took just 15 minutes to hack into the website using SQLmap (Automated SQL Injection Tool) -- stole customers' database and then immediately accesses the victim's Gmail account, linked PayPal accounts and Bank accounts also.
It's so hard to remember multiple passwords, some people just use the same one over and over. Is your Facebook password the same as your Twitter password? How about the password for your bank's website?
Now the hack explains that this us why it's extremely dangerous to use the same password on more than one Web site. In the POC video, hacker randomly chooses one Sebastian username and his relative password against Paypal, Gmail and even Citibank account logins and seriously that actually worked, because the victim is using the same passwords for all websites.