Security firm Imperva said last week that sixteen government, military and educational websites have been hacked are now up for sale for anyone wanting to take control.
The firm originally stumbled across this revelation while scanning through underground forums. One hacker was discovered to be offering full control of a website used by the U.S. Army's Communications-Electronics Command (CECOM), granting virtual keys to the backdoor for just under $500 bucks.
And that's just for starters. According to Noa Bar-Yosef, Imperva senior security strategist, this particular hacker also claims he has control over numerous additional websites owned by the military, the government and universities. The price to gain access to these websites depend on their importance and level of use, ranging from $33 to $499.
"You can actually buy the capability of being the administrator of the website," she told Computerworld, adding that databases of personal information are also up for grabs at $20 per thousand records-- one case even reveals a data pack of 300,000 people up for a hefty price.
The hacker in question is reportedly using SQL injection to gain access to the websites. According to the Wikipedia definition, this is "a code injection technique that exploits a security vulnerability occurring in the database layer of an application." Typically hackers look for poorly-written web pages sporting search boxes and/or data-entry forms that connect with back-end databases. Hackers then use an automated tool to sneak database commands in through those faulty pages.
Although Imperva marked out the list of website names that are up for sale, security blogger Brian Krebs posted a screenshot of the forum post unedited, revealing sites such as the University of South Carolina in Beaufort, the Department of Defense Pharmacoeconomic Center, the State of Utah's official website and more.
"Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as 'cyberwar,' it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities," he said. "But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies."