"Lilupophilupop" infects a million URLs
SANS ISC updated their report saying that over a million URLs were infected with this malicious script tag. However, this estimate is based on a Google search for the script, is not deduplicated and does include many pages that originate from the same site. The distribution of the infections shows sites in the UK, Netherlands, Germany, France, Denmark, Canada, USA, Russia and Japan infected.
Searching today for that term shows a lower number of matches for the search query and many of the returned sites now show no obvious trace of the injected script. The lilupophilupop.com domain does not currently resolve in DNS and appears to have been blocked. The IP address that it had previously resolved to is still active and serving up the script which redirects browsers to a site serving fake anti-virus software. Records show that the IP address is part of a network based in Moldova but operating out of the area under the control of the breakaway government of Transnistria. Google's analysis of that network shows it hosts many malware sites or acts as intermediary for malware sites.