Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

SQL infection cracks reported on thousands of sites

According to Websense, the attacks are designed to scare computer users into downloading and installing scareware - fake AV software that harvests users’ cards details - as well as scamming money for a non-existent service.

The `LizaMoon' infection campaign, says Websense, has infected as many as half a million web pages.

"We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought", says Websense in its security blog.

"All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack", the vendor adds.

Websense goes on to say that Google search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

Research into the raft of domain names involved in the infections seems to show that one of the domains - stats-master111.info - was registered on October 21, 2010.

This could, says the IT security vendor, mean the first attack happened then but its researchers do not have any direct evidence.

"The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today", the firm said on Friday, adding that the domain, milapop.com, was registered late last week.

Interestingly, Websense says that its research team wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it now does.

"We created a video showing what happens if a user visits a website that contains the injected code", says the firm, adding that he only gets the malicious code once per IP address, so if you have already visited the site you won't get the code again.

"The Rogue AV software that is installed is called Windows Stability Centre and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal", adds Websense.

What’s Hot on Infosecurity Magazine?