About a month ago, researchers from the Internet Storm Center (ISC) noticed an ongoing SQL attack and dubbed it lilupophilupop because it redirected users to a domain with that name, but since at the time there were only 80 or so infected webpages, no one gave the incident much thought. Now, the number of victims increased to 1 million pages.
“Sources of the attack vary, it is automated and spreading fairly rapidly. As one of the comments mentioned it looks like lizamoon which infected over 1,000,000 sites earlier this year,” ICS’s Mark Hofman said at the beginning of December.
“The trail of the files ends up on "adobeflash page" or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected.”
The attack has been ongoing since and the victim sites can be seen all over the world.
The figures show that 56,000 pages from the UK, 123,000 from the Netherlands, close to 50,000 from Germany and 30,000 .com webpages bare the infection. Russian, Japanese, Danish, Canadian and .org domains are also affected.
“At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period,” Hofman says.
Massive SQL injection attacks are considered by some cybercriminals the best way to spread their malicious campaigns with minimum effort.
It’s clear that the infection spreads rapidly like a plague and all the unsecure websites it encounters are easily compromised to serve a malicious scheme.
The problem with these compromised sites is that they may be sites that users visit often and if they’re served a fake anti-virus software they might be tempted to install it, giving cybercrooks the perfect opportunity to make tons of money from inexperienced internauts who really believe that there’s something wrong with their computers.