The SQL injection attack known as LizaMoon may not be as widespread as was first thought, according to new analysis by a Google engineer.
LizaMoon is a massive SQL injection attack which is thought to have infected over 500,000 URLs with malicious scripts. The injected code redirects users to malicious addresses containing fake AV and rogue AV. The attack was uncovered by security company Websense, which blogged about the attack on 29 March, when only 28,000 sites had been compromised.
It was given the name LizaMoon by Websense because the original injected code called JavaScript routines stored at lizamoon.com, a URL registered a few days earlier.
However, according to analysis by Google Principal Engineer Niels Provos, a better way to measure the attack is to count the number of sites that have a functioning reference, rather than simply Googling the URL. In this way, Provos was able to leave out those URLs that had the code but didn’t actually redirect users.
He found that the Lizamoon campaign started around September 2010 and actually peaked in October 2010 with 5,600 infected sites – although it is now undergoing a revival. It is in fact substantially smaller than previous SQL injection attacks such as Gumblar.cn/ and Martuz.cn/ in 2009.
“For future studies of SQL injections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs,” he wrote in a blog post.
Other security experts are reporting that the attack succeeded in ensnaring very few victims, as many of the domains used by LizaMoon’s creators to peddle scareware were shut down very soon after they were created. According to Rik Ferguson, senior security advisor at Trend Micro, the company only had to block around 2,000 attempts to visit the domains.
“The sites that were compromised by the SQL injection attack were comparatively low profile sites and thus the attack did not gain significant momentum,” Ferguson told BBC News.
Despite this, SQL injections seem to be going through a phase of popularity with cyber criminals at the moment. Last week, for example, sites belonging to Oracle’s Sun and MySQL subsidiaries were infected, exposing database names and email addresses.
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…