KrebsOnSecurity turned us on to this story, first reported by the security vendor Imperva.
A cyber criminal seems to have easily gained access to many high-profile government, educational, and military websites. By using simple SQL injection vulnerabilities, he claims to have full control of over a dozen such sites and has been attempting to sell his access online for prices ranging from $55 to $500. Hacked websites include cecom.army.mil, the South Carolina National Guard, the official Italian Government Website, several major universities, and many others. Imperva speculates that he is probably offering access credentials and administrator URLs.
They also report that he is selling personally identifiable information (PII) for $20 per thousand records.
Spammers often buy of this kind of site access to inundate highly ranked pages with links to questionable commercial operations. Others may want PII for more nefarious purposes.
The story demonstrates how easy it is for cyber criminals to break into poorly coded websites, especially when search boxes and other input forms are linked to backend databases. As such it should serve as a reminder to every organization with a website to take the basic steps to secure their site from these basic kinds of attacks.