Data Leakage, Threat Intelligence

SQL Injection: How Hackers Use Google to Find Vulnerable Sites

By Andre Luiz R. Silva on September 4, 2019
SHARE

That’s right. Hackers use “simple” Google searches to find vulnerable sites and invade entire systems. This has been going on for a good long time and it is, in a way, quite simple. Even so, it’s not hard to find victims affected due to carelessness.

 

How hackers use Google


The entire scheme begins with a simple Google search. Using so-called “dorks,” or refined query tricks on the search engine, they can see which sites have the most visible fields.

An example of this type of query is:

hackers-google-sites
In this field, we can find pages having the php file type (which is one of the programming languages used to develop sites) and, at the same time, the words “product” and “id” in the URL field. You can guess what happens after that, right? A site that leaves this type of data visible may provide breaches so that other important information can be found.

 

But how do hackers invade the sites they find?


After this apparently innocent Google search, the hackers invade the vulnerable sites with the help of a specific program. That program is indeed very simple to find (of course, we blurred the images and masked the illustration) and even has various YouTube tutorials:

sql-injection-google

 

SQL Injection: How does it work?


SQL injection is the name used for the intrusion technique used in the scam. The above-mentioned program applies an “injection” of SQL, which is a database search language. Several combinatorial analyses are done automatically on the URL fields (like those of the Google search), until the error pages start giving more information about the site’s data bank.

In other words, the hack succeeds through breaches and vulnerabilities that offer access to the site’s data bank. It’s not as if the hacker got into the settings panel that the developer has access to, though it is a place where all the information is stored.

In the example below, which is an image showing the program in use, we can see that Target is the URL in which tests will be carried out. The field to the left, with the checkboxes (⃞), is the menu for tables (or lists of information) to which the hacker is obtaining access. The results gradually appear in the box to the right. It’s where the “gold” shows up: emails, logins, passwords and even credit card numbers.

SQLInjection

 

Why do invasions from hackers occur?


1. Outdated sites

The older the site, the greater the chance of finding flaws, because security updates have not been applied. Constant vigilance is necessary to prevent development problems.


2. Small business sites

Smaller e-commerce sites are attacked because they’ve been incorrectly or inadequately developed. Unqualified site developers are often hired due to a lack of concern over security, which leads, obviously, to carelessness when it’s time to prevent problems.

Hackers sometimes look for clues in the webpage footnotes, where site developers take credit for their work; e.g., “Developed by...” After one successful invasion, it’s not difficult for the hacker to find other flawed sites that were done by the same developer, thereby locating a veritable cornucopia of sites that have the same or similar flaws.


3. Passwords stored “on a silver platter”

Many sites store passwords openly, right in an Excel spreadsheet. That is a terrible mistake! The correct way is to use hashes—data that has been scrambled in order to make identification more difficult.

Each password may have more than one type of hash, which can contain innumerable digits. That makes them more difficult to see. This does not prevent our beloved hackers from also having access to hash translation bases. So, don’t get upset by those sites that require various types of characters when you’re creating a password.

Another interesting way to find out if a site’s password storage is precarious is the “I forgot my password” function. If the site sends an email with a pure and simple password, it means that hashes are not used at all there.


4. Payment methods without secure intermediation

Some websites don’t use PayPal, Stripe or other secure methods for receiving payments. That is: they end up saving customers’ credit card data in their database.

 

What do the hackers do with the data they get?


Hackers who succeed in getting credit card data are involved in buying and selling card numbers (generally in lists), in order to steal anything possible from the victims. But with passwords, there are additional tricks. Passwords stolen from one site can be tested to see if they work at other sites, to further exploit the victim.

For example, if the credentials were obtained from a small e-commerce site, the hackers work with the principle that many people use the same password in several places. Using this technique, they may even get access to internal corporate systems by using the password of an employee who used the same code on the invaded e-commerce site.

 

How can I protect my data from hackers?


Your data or that of your employees may be vulnerable without the element that is most necessary in any security problem: awareness. Below are some basic tips that you may have seen before, but they are just what’s needed to protect your data from schemes like SQL Injection:


Don’t reuse the same password

Always change! Then if you become a victim of exposure (even using your best and longest password), you will have lost just one credential.


Do not use corporate emails just anywhere

Always separate what’s personal from what’s professional. And always warn your employees and colleagues about that! After all, corporate data is among the most targeted by cybercriminals.


Axur repudiates the fraudulent use of SQL Injection and any other criminal activity online. Our intent in publishing this report is to demonstrate the need for correct site development and security awareness. The General Data Protection Regulation (GDPR) has shown us that companies must now take responsibility in protecting the security of their consumers’ passwords and other data.

Our Threat Intelligence solution, which can monitor the deep web and dark web, is able to detect and identify various types of invasions and help to prevent future attacks.
image

Identify and eliminate digital risks. Understand how.

TALK TO A SPECIALIST
LP guia (EN)
DOWNLOAD

Get the latest blog news:
event-image

ESPECIALISTA CONVIDADO

Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware

AUTHOR

Andre Luiz R. Silva

A journalist working as Content Creator at Axur, in charge of Deep Space and press activities. I have also analyzed lots of data and frauds here as a Brand Protection team member. Summing up: working with technology, information and knowledge together is one of my biggest passions!

Related posts

Digital Risk Dictionary (for businesses and consumers)
June 4, 2020
Formjacking: Credit Card Theft from Official Sites
June 4, 2020
GitHub Hosted Details on More Than a Million Items of Leaked Data
May 25, 2020
Reputation and trust take time to be built. But frauds and scams may put all this hard work at risk. For this reason, we are devoted to monitoring the web and searching for digital risks that might negatively affect your brand's image.
US
601 Brickell Key Drive, Suite 901
Miami, FL 33131
Singapore
109 North Bridge Road
Cityhall District, 179097
Brazil
322 Mostardeiro Street - 15th Floor
Porto Alegre, RS 90430-000
www.axur.com
contact@axur.com
© Axur. Digital experiences made safe. All rights reserved.