'LizaMoon' SQL Injection Attack Sprawls Across Net

By Channel Insider Staff  |  Posted 2011-04-04 Email Print this article Print
 
 
 
 
 
 
 

WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT

How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >

A rampant SQL injection attack dubbed "Liza Moon" has infected millions of unique URLs, directing users to fake antivirus sites.

A mass SQL injection attack that initially compromised 28,000 Websites has spiraled out of control. At the last count, more than a million sites have been compromised, with no end in sight.

Security firm Websense has been tracking the "LizaMoon" attack since it started March 29. The company’s malware researchers dubbed the attack LizaMoon after the first domain that victims were redirected to. At the redirected site, users saw a warning dialog that they had been infected with malware and a link to download a fake antivirus.

The users are shown a number of threats supposedly on their computer, but the fake AV, Windows Stability Center, won’t remove them until the user pays up, in a "very traditional rogue AV scam," wrote Patrik Runald, the Websense researcher who has been following the attack over the past few days.

The list of redirect URLs has ballooned in the days since, as Websense updated its list March 31 with 20 additional sites, making this one of the biggest mass-injection attacks ever.

More than 500,000 URLs have been injected with LizaMoon, according to Runald. If all the domains used in the attack are considered, eWEEK found about 2.9 million results on Google Search that have been compromised.

"Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site," Runald said. It is safe to consider hundreds of thousands of domains have been hit, he said.

Websense researchers are still trying to figure out how the SQL injection attack is happening. Somehow, legitimate Websites have been compromised in a way that one line of code has been embedded on the site. That code is a simple redirect, and executes when the user loads the page. The bulk of the action happens on the redirected page, where a script containing Javascript code kicks off the fake AV scam.

For more, read the eWEEK article: 'LizaMoon' Mass SQL Injection Attack Escalates Out of Control.
 
 
 
 
 
 
 
 
 
























 
 
 
 
 
 

Submit a Comment

Loading Comments...
























 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date