In association with heise online

01 April 2011, 16:49

Hundreds of thousands of hacked websites spreading scareware

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Network Logo Using an automated SQL injection attack, criminals have embedded links to domains carrying scareware in hundreds of thousands of websites. In some cases, visitors to an infected website see an additional page that pretends to be anti-virus software and claims to have discovered an infection on the user's system.

What is not clear is how often the criminals succeeded in embedding the links so that they actually work. The scattergun approach taken by the SQL injection attack on the content databases of content management systems has meant that in many cases the links were placed in fields such as the title tag which are not interpreted when the page is displayed and are therefore never called. According to Websense, the URLs were also found in some URLs for iTunes podcasts, possibly via modifications to RSS feeds from the vendors in question. Here too the attack carries no threat, as the browser does not interpret the injected links.

The URLs include an address in the domain and many security experts have therefore designated it the lizamoon attack. The domains used are no longer accessible. Security specialist Dancho Danchev has published an analysis of the domains used by this particular scareware campaign; he reports that they all ultimately lead back to a single IP address. The domains were registered just a few days ago using automatically registered Google Mail accounts.

Anyone running a web server should check their websites for injected JavaScript tags containing links such as <script src=></script>. If found, these should be removed. They will also need to find the SQL injection vulnerability used to inject the nefarious content. Installing the latest version of the web application used may be sufficient, but in some cases it may be advisable to seek professional assistance from a code auditor or pen tester.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit