Additional SQL injections failed, so the hackers searched the system for another exploit. They found a library application that allows images to be uploaded. Hackers uploaded a GIF file with a line of code contained in the image. The computer system read the GIF tag and uploaded the photo and automatically executed the code.
Hackers "targeted an app that is custom-written, in-house, and launched a specific attack against that app," Smith said.
Hackers eventually placed "iFrame" HTML code on every page of the company's Web site. The iFrames redirected the victim's browser to a server that infects the computer using a tool called "MPack." This tool profiled a victim's OS and browser and launched attacks based on that information.
The result is that victims are getting hit with multiple attacks, said Smith.
Today, SQL injection attacks are the top threat to Web security, said Ryan Barnett, director of application security at Breach Security, in an interview separate from the conference.
Last year, cybercriminals began unleashing massive Web attacks that have compromised more than 500,000 Web sites, according to the security vendor.
"They started off in January and went through essentially the whole year," said Barnett. Previously, crafting a SQL injection attack took time, but last year attackers created worm code that could automatically seek out and break into hundreds of thousands of sites very quickly.
Now, instead of stealing data from the hacked Web sites, the bad guys are increasingly turning around and planting malicious scripts that attack the site's visitors. "Now the site is becoming a malware depot," he said.
(Bob McMillan in San Francisco contributed to this report.)