A phishing attack has been discovered on the UK Government’s Home Office website, The Register reports. The attack, which targets poste.it, the website of Italian bank Poste Italiane, can be found here. The attack was detected by security researchers PrevX and used an RFI exploit via an SQL injection to serve the fraudulent content.
Whilst the phish gains no extra credibility by being hosted on the Home Office’s website, it does raise serious questions about how it got there in the first place and the security of the government’s websites. This is the department that knows everything there is to know about UK citizens after all and hackers have obviously found a back door somewhere!
“This is very embarrassing for the Home Office, having the Crime Reduction website hacked by cybercriminals is a bit like having a mugger hiding in the local police station nicking people’s wallets when they come in,” said Jacques Erasmus, head of malware research at Prevx.
May we suggest the web developers working for Her Maj’s government take time to read up on SQL prepared statements and how to properly escape SQL queries to prevent such attacks in the future.
Update: The Home Office removed the phishy content from the site early on Monday morning.
Update 2: The Government IT bods have been caught with their pants around their ankles again, this time with an editable interface left open to the public.
