The SQL injection attack known as LizaMoon may not be as widespread as was first thought, according to new analysis by a Google engineer.
LizaMoon is a massive SQL injection attack which is thought to have infected over 500,000 URLs with malicious scripts. The injected code redirects users to malicious addresses containing fake AV and rogue AV. The attack was uncovered by security company Websense, which blogged about the attack on 29 March, when only 28,000 sites had been compromised.
It was given the name LizaMoon by Websense because the original injected code called JavaScript routines stored at lizamoon.com, a URL registered a few days earlier.
However, according to analysis by Google Principal Engineer Niels Provos, a better way to measure the attack is to count the number of sites that have a functioning reference, rather than simply Googling the URL. In this way, Provos was able to leave out those URLs that had the code but didn’t actually redirect users.
He found that the Lizamoon campaign started around September 2010 and actually peaked in October 2010 with 5,600 infected sites – although it is now undergoing a revival. It is in fact substantially smaller than previous SQL injection attacks such as Gumblar.cn/ and Martuz.cn/ in 2009.
“For future studies of SQL injections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs,” he wrote in a blog post.
Other security experts are reporting that the attack succeeded in ensnaring very few victims, as many of the domains used by LizaMoon’s creators to peddle scareware were shut down very soon after they were created. According to Rik Ferguson, senior security advisor at Trend Micro, the company only had to block around 2,000 attempts to visit the domains.
“The sites that were compromised by the SQL injection attack were comparatively low profile sites and thus the attack did not gain significant momentum,” Ferguson told BBC News.
Despite this, SQL injections seem to be going through a phase of popularity with cyber criminals at the moment. Last week, for example, sites belonging to Oracle’s Sun and MySQL subsidiaries were infected, exposing database names and email addresses.
To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…
ByteDance's TikTok is laying off up to 500 employees as it moves to greater use…
In this episode, we uncover why most organisations aren’t ready to harness generative AI. We…
Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…
AMD unveils new AI and data centre chips as it seeks to improve challenge to…
AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform