LizaMoon Mass Injection Attack Spreads Rapidly

A recently announced mass injection attack dubbed LizaMoon is spreading rapidly and managed to infect over 1.5 million web pages in just a few days.

The mass compromise was announced by Websense on Tuesday, at which time it had already affected some 28,000 pages and made its way onto iTunes.

One interesting aspect of the attack was that by the time researchers spotted the infection, the domain hosting rogue code, lizamoon.com, was already inactive.

While this has not changed, the infection took massive proportions and started using new domains, including worid-of-books.com, alexblane.com, alisa-carter.com and t6ryt56.info.

"We’re seeing compromised websites that were previously inserted with a script leading to lizamoon(dot)com/ur.php already modified to connect to tadygus(dot)com/ur.php. The said URL also resolves to the same IP server as the 4 previously mentioned URLs," Trend Micro researchers warn.

The attack uses SQL injection techniques to insert rogue code into the databases of PHP and ASP websites alike. There is most likely a great deal of automation behind this.

The infections lead to a scareware distribution site that displays fake antivirus alerts in order to convince users to download a rogue application called Windows Stability Center.

At this time, the malicious application has a fairly low detection rate on Virus Total (13/43). After installation it starts displaying all sorts of alerts and advises users to buy a license to fix the problems.

This is obviously a scam and there are no infections, or at least none that this application can remove. Unfortunately, distributing such programs is one of the most profitable cyber criminal activities.

Scareware attacks can take different forms, many of which involve the Web. Because of this, users are advised to always use an up-to-date antivirus that is capable of scanning Web traffic.