A mass SQL injection attack that initially compromised 28,000 Websites has spiraled out of control. At the last count, more than a million sites have been compromised, with no end in sight.
Security firm Websense has been tracking the “LizaMoon” attack since it started March 29. The company’s malware researchers dubbed the attack LizaMoon after the first domain that victims were redirected to. At the redirected site, users saw a warning dialog that they had been infected with malware and a link to download a fake antivirus.
The users are shown a number of threats supposedly on their computer, but the fake AV, Windows Stability Center, won’t remove them until the user pays up, in a “very traditional rogue AV scam,” wrote Patrik Runald, the Websense researcher who has been following the attack over the past few days.
The list of redirect URLs has ballooned in the days since, as Websense updated its list March 31 with 20 additional sites, making this one of the biggest mass-injection attacks ever.
More than 500,000 URLs have been injected with LizaMoon, according to Runald. If all the domains used in the attack are considered, eWEEK found about 2.9 million results on Google Search that have been compromised.
“Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site,” Runald said. It is safe to consider hundreds of thousands of domains have been hit, he said.
Websense researchers are still trying to figure out how the SQL injection attack is happening. Somehow, legitimate Websites have been compromised in a way that one line of code has been embedded on the site. That code is a simple redirect, and executes when the user loads the page. The bulk of the action happens on the redirected page, where a script containing Javascript code kicks off the fake AV scam.
For more, read the
eWEEK article:
'LizaMoon' Mass SQL Injection Attack Escalates Out of Control.
