Cyber criminals are turning their attention to the programs that run many online shops, say experts.

The move to target the databases and programs that power online shops is a significant change in tactics.

In one case, an attacker got hold of a PC maker's entire customer list and sent everyone on it a nasty note.

"It's kind of like an arms race. It's the next logical step to go after the application itself," said Rob Straight from software firm Compuware.

"There are a lot of people that spend their time and energy to think of ways to break into applications maybe for fun and maybe for profit," he said.

Crime spree

Businesses connected to the net, and especially those that run online shops, are used to defeating all kinds of attacks. On a daily basis they have to cope with attempts to exploit known vulnerabilities as well as viruses and worms that try to slip through security software.

Evidence for just how new this is can be seen in the latest list of the Top 20 most vulnerable programs released in early May by the Sans Institute.

For the first time this list included such things as media players, anti-virus programs, web browsers and databases.

Vulnerabilities in browsers and media players are proving popular with the malicious hackers, said Gerhard Eschelbeck, chief technology officer at security firm Qualys and a Sans contributor.

"They typically require some interaction by the victim to get exploited, such as browsing a malicious website, or opening a malicious e-mail or media file," he said.

But, he says, attempts to subvert website shopping systems rather than the basic operating systems on PCs and servers are something new.

Many of the programs or applications that net businesses write to power their online shops include fields in which customers can enter text such as a quantity, wrapping instructions or address.

Basket case

Web shops and online banks were seeing far more attempts to inject working computer code into the databases and applications behind the scenes of many websites, said Donal Casey, spokesman for Diagonal Security.

"It can be very difficult to defend against these attacks," he said.

What can make it worse is that once attackers find a vulnerability in one web application, they are likely to try it again and again in all the other places that particular program is used.

Organisations such as the Jericho Forum and the Open Web Application Security Project have sprung up to do a better job of scrutinising these backroom programs and ensuring they are secure.

"You can get unexpected input by users and the application might not be set up to deal with that," said Mr Straight from Compuware. "You could get unpredictable results and or even the failure of the application."

Some attackers try to enter database commands into such fields just to see what happens. In such cases "unpredictable results" could see those commands executed and a database seriously compromised, said Mr Straight.

Attackers could end up with a store's entire customer list, including credit card numbers and bank account details.

Increasingly, said Mr Straight, developers writing web applications were turning to automated tools that check the programs are proof against the most common attacks.

"We can simulate what a hacker would do by bombarding an application with erroneous text strings," said Mr Straight.

"There are real consequences to all this," he said.