It's the age old question, if a tree falls in the woods and no one is around to hear it, does it make a sound? Likewise, if a web page is compromised and no one vists the page, is it a threat? While many researchers measure risk by search engine results, ScanSafe STAT monitors actual traffic attempts and uses that data to determine risk level. Viewed from that perspective, of the 70 attack hosts identified in the ongoing SQL injection attacks, about 20 of the attacks have resulted in measurable attempts to visit the affected pages. Quite a bit of measurable traffic, lest you think 20 out of 70 somehow implies the overall risk isn't significant.

The timeline below shows the progression of the attacks thus far in May:

Again, the above reflects attacks on pages that users actually visited. And the targeting is improving as time goes on. Each wave seems to net more and more pages that are highly trafficked - of the 20 high impact attacks thus far, 13 have been in May. And the month's not even over yet.

As an aside, the worldoil.com web site has been compromised and re-compromised in nearly all of these attacks. Maybe they need a cleanup crew for their SQL spills?