It’s suspected by researchers that a SQL injection attack was used to force websites to run database commands, allowing hackers to install the HTML.
Not all the websites have been hit completely, since some hackers were only able to install their code on certain pages of very large websites. Some break into a partner site such as an ad company that is allowed to post things on some of the larger company’s website. In the case of the Wall Street Journal, only a small number of pages that displayed real-estate ads were affected.
Scrawlr, a tool released by Microsoft and HP allows users the ability to check sites for SQL injection vulnerabilities.
(Via Computer World)