Hackers Sell Government Websites For Just £300

The online threat posed to official government websites is once again in the spotlight after a security vendor found that control of both military and government websites was being offered for as little as $499 (£312).

Last Friday Imperva reported on its Data Security blog that several major websites had been hacked and are up for sale on underground forums. The security vendor included screenshots, but redacted the names of the victims from its blog post.

However it has been reported elsewhere that the hacker is claiming control over a number of websites including US and European government, military and education sites, and is willing to sell them for between $55 (£34) and $499 (£312).

SQL Injection Attack

Some of the more costly websites on offer include the US Army CECOM and South Carolina National Guard websites ($499 each) and a medical website of the US Department of Defense for $399 (£250).

According to Imperva, the hacker gained access to the websites by using the SQL injection technique.

“The victims’ vulnerabilities were probably obtained by SQL injection vulnerability automatic scanner and exploited in automatic manner, as the hacker published his methods in a post in some hacker forum – see screen shot and explanation,” Imperva warned.

Meanwhile security blogger Brian Krebs has gone ahead and identified the websites concerned. These include the US states of Utah and Michigan, the Italian Government, and the US Department of Defense.

“I’ve seen some of the back-end evidence of his (the hacker) hacks, so it doesn’t seem like he’s making this up. Perhaps out of deference to the federal government, the Imperva folks blocked out the best part of that screen shot – the actual names of the website domains that this hacker is selling,” said Krebs.

Naming Names

Krebs’ blog offered a full screenshot listing of the compromised websites, without the redaction that Imperva used.

He also showed that the hacker is offering other services, such as hacking into a normal website for $10 (£6.27), although a “high profile” website will cost more than that. Government and military databases said to include full names, addresses, and contact details are available for just $20 (£12.54) per 1,000 records. Meanwhile scanning a website for vulnerabilities costs a mere $2 (£1.25).

“I find it ironic that one of these sites allegedly for sale is the Department of Defense Pharmacoeconomic Center, which is a DoD site tasked with ‘improving the clinical, economic, and humanistic outcomes of drug therapy in support of the…military health system.’ In all likelihood, if access to this site is purchased, it will be by someone looking to plant links to rogue online pharmacies of the sort frequently advertised in junk email,” said Krebs.

Hacking Threat

The issue of hackers and cyber warfare is very much in the headlines of late. In November, the Armed Forces minister Nick Harvey called for the UK to have the ability to strike back at those conducting cyberwarfare campaigns.

That same month a lone Romanian hacker forced the Royal Navy to suspend its website after it was compromised. The Navy website was closed for many days as a result of the hack.

But is not just government and military websites that are being attacked. Late last week for example cosmetics company Lush admitted it had been aware that its UK website had been hacked several weeks before it made the decision to inform customers of the intrusion.