Online attacks against databases have taken off in the past 18 months, according to data released by IBM’s X-Force security team.

In May 2008, IBM’s customers encounters about 2,500 SQL injection attacks every day. By midsummer 2009, the technology giant’s product were seeing 600,000 database attacks per day on average, said Tom Cross, a security researcher at IBM. The attacks attempt to inject legitimate structured query language (SQL) commands into whichever database software runs a particular Web site.

"In the past year and half, hackers have figured out how to use SQL injection on a broad basis to make money," Cross said. Like spam, SQL injection attacks are a numbers game — if a giant increase in attacks only delivers a few more infected Web sites, the attacks are still worth the effort, he said. "Most of these are attacks that don’t work."

The enormous increase in the number of attacks parallels a more than fivefold increase in malicious Web sites encountered by the technology giant’s Web crawlers. Cross acknowledged that the data is not perfect. Customers that regularly scan their networks for SQL vulnerabilities, for example, will inadvertently increase the perceived number of attacks against their systems, he said.

The trend means that Web surfers will have to increasingly worry about being infected by legitimate Web sites that have been compromised by a database attack, Cross said.

"In the past, you would most often find malicious code when you were on sites that I call the Red Light district of the Internet," Cross said. "Now, you are more likely to encounter malicious code just by visiting run-of-the-mill sites."

Data collected by IBM in the second half of 2009 will likely be presented in a report due out in late January.

If you have tips or insights on this topic, please contact SecurityFocus.