June 13, 2021

LizaMoon SQL-injection Attack Not as Large as First Thought

Over the last few days, the Internet has been throbbing with news of an SQL-injection attack dubbed LizaMoon which was reported to have infected hundreds of thousands of web pages including iTunes. However these numbers were calculated using Google’s search engine and the number of results available for web pages with the relevant terms in them. Now PCPro has been speaking to a Google engineer and it seems the damage might not be as bad as first thought.

Niels Provos, a principal engineer at Google, has counted the sites with a functioning reference, leaving out those that had the code but didn’t actually redirect users. What he found is that the Lizamoon attack actually peaked in October with 5,600 infected sites, but is currently “undergoing a revival”.

On 29th March 2011 Websense reported that according to a Google Search, over 226,000 URLs have been compromised. This included several iTunes URLs. On the 31st March they reported that a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack.

However they did mention that “Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Using the same search today Google reported 4,670,000 results!

The attack is named LizaMoon after one of the URLs that are injected into web sites. These rogue URLs redirect users to scareware sites which generate messages warning the user that their computer is infected with viruses, and offers to sell them antivirus software.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks