The targeted sites redirect their visitors to domains that serve Fake AVs

Apr 27, 2012 13:21 GMT  ·  By

Security researchers from AegisLab have identified a number of 179,000 websites as being affected by an SQL Injection attack. A few hours after the report came out, we detected close to 200,000 sites as containing a malicious script.

Experts reveal that similar to the Lilupophilupop attack, sites that use ASP, IIS and MySQL are targeted.

The one thing that all the affected sites have in common is that they are all altered to host a script which redirects visitors to a PHP file on a domain called nikjju.com, which serves fake antiviruses.

Administrators are advised to check their webpage to see if there is any line that contains something similar to: "nikjju.com / r.php" (no spaces)

AegisLab recommends site owners to consider deploying filtering solutions that can detect malicious URLs.

Also, the SANS Internet Storm Center reports that besides the nikjju.com domain, another one, called hgbyju.com, is also utilized in this campaign.