When attacking, hackers bombarded websites with 38,000 attacks per hour over the period June-November 2011, the period examined by the second WAAR study; this compares with 25,000 attacks per hour from December 2010 through May 2011, the period tracked by the first WAAR study.
“Attacks were less evenly spread across time and more concentrated into higher volume individual attack campaigns”, according to Amichai Shulman, chief technology officer at Imperva.
Imperva’s Application Defense Center observed and categorized attacks across 40 applications in the second report – compared to 30 applications in the first report – and monitored millions of individual attacks targeted at web applications from June through November.
While the intensity of hacker attacks increased, the average number of hacker probes decreased. During the period tracked in the first report, websites were probed about once every two minutes, or 27 times per hour, but that number dropped to 18 per hour in the June-November time frame.
Hackers continue to exploit five common application vulnerabilities: remote file inclusion, SQL injection, local file inclusion, cross-site scripting, and directory traversal. While the report saw in increase in attacks on four of the vulnerabilities, attacks targeting cross-site scripting actually decreased, Shulman told Infosecurity.
According to the report, hackers are relying more on business logic attacks because of their ability to evade detection. Business logic attacks, which include email extraction and comment spamming, accounted for 10% of the analyzed malicious traffic.
“We are seeing more attacks that are not of a technical nature but of a logical nature. These attacks are compromised of requests that are legitimate with respect to their structure and content, but they represent an abuse of the application functionality”, Shulman explained.
Email extraction is used to survey many websites to harvest email addresses, he continued. These addresses are then sold for legitimate marketing purposes as well as illegitimate phishing and spam campaigns, he added.
Comment extraction involves an attacker automatically posting large quantities of comments in forums and other applications. The purpose of the comments is to promote specific sites and servers in terms of search engines or to lure people into visiting websites with malware, Shulman said.
The email extraction traffic was dominated by hosts based in Africa, while comment extraction traffic was concentrated in Eastern Europe, he added.