Security researchers recently demonstrated a new way that accounting software could be hacked, allowing unauthorized payments to be sent to cybercriminals.
The security site Dark Reading reported Wednesday on proof-of-concept code that was unveiled by researchers at the firm SecureState at a conference in Abu Dhabi. They showed how hackers could create a backdoor in Microsoft Dynamics GP, formerly known as Great Plains Dynamics, but pointed out that similar techniques could be employed with other accounting packages, such as MAS 90, Peachtree, Oracle and SAP.
They created a script that is able to make remote SQL database queries and commit financial fraud using a technique they refer to as “injection and hooking.” Unlike earlier hacking techniques, they would not need to install a piece of Trojan malware in the system that might be detected by antivirus software.
While the Mayhem script was just a proof of concept by researchers whose goal is to make accounting software more secure, it would not be surprising if the same technique were employed by the very hackers they hope to outwit.