Zero Day

Ryan Naraine and Dancho Danchev

Mass SQL injection attack leads to scareware

By Dancho Danchev | March 30, 2011, 7:02am PDT

Summary: Security researchers from WebSense have detected a mass SQL injection attack, which the cybercriminals monetize through scareware, also known as fake security software.

Security researchers from WebSense have detected a mass SQL injection attack (hxxp://lizamoon.com; 58,300 affected pages), which the cybercriminals monetize through scareware, also known as fake security software. The attack has also affected several iTunes web pages.

UPDATED: Additional information regarding the campaign is available: Dissecting the Massive SQL Injection Attack Serving Scareware.

More details:

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer. So good job, Apple.The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don’t have the actual binary analysis information available yet.

From the perspective of the attacker, mass SQL injection attacks are highly beneficial from a blackhat SEO (blackhat search engine optimization) perspective, as they hijack both the affected web site’s page rank, including the SEO-friendly content that comes with it. Compared to malvertising attacks, mass SQL injection attacks have declined in recent months, indicating a migration trend towards shorter, but more traffic-intensive windows of opportunities for malicious attackers to take advantage of thanks to malvertising.

Users are advised to use NoScript, as well as go through the Ultimate Guide to Scareware Protection.

More from “Zero Day”

New GPCode ransomware encrypts files, demands $125 for decryption

Patch Tuesday heads-up: 17 bulletins, 64 vulnerabilities

Topics

SQL, SQL Injection, Microsoft SQL Server, Programming Languages, Security, Databases, Software Development, Software/Web Development, Enterprise Software, Software, Data Management, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Full Bio
Disclosure
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Talkback Most Recent of 30 Talkback(s)

Follow via:: RSS; Email Alert

This stuff has been going on forever.

This stuff has been going on forever. When are they actually going to catch the criminals and stick there butts in jail where they belong.
Stan57
30th Mar
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

@Stan57

Many of these people are NOT in the US, e.g.:

http://www.wired.com/magazine/2011/01/ff_hackerville_romania/

Having contracted at a large financial institution on the East Coast, fraudulent Electronic Fund Transfers (EFTs) to former Soviet Eastern Block countries are "par for the course".

Many of those countries are a** backward - law enforcement doesn't either care or have the resources or sadly, principles. And of course US law enforcement agencies have no jurisdiction.

In addition there's likely a schadenfreude (glee in others' misery) factor, e.g., "Hey, it's the US, 'they' can afford it, they're rich."

-M
betelgeuse68
30th Mar
- Reply to
- Flag
Celebrate

@betelgeuse68
Hey, at least we won the Cold War, didn't we? Where is the Soviet Union now? (sarcasm on)
sissy sue
31st Mar
- Flag
RE: Mass SQL injection attack leads to scareware

Your post have been very helpful! replica watches
lovedong
13th Sep
- Flag
RE: Mass SQL injection attack leads to scareware

@Stan57
Yea, This stuff has been going on forever...thanks!
Ar Condicionado Imoveis Acompanhantes Casa de Massagem
arbarbara
21st Sep
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

@Stan57

"Security researchers from WebSense have detected a mass SQL injection learn violin online attack, which the cybercriminals monetize through scareware, also known as fake security software."
This is a big issue, really! I've been attacked myself by it a couple of glaucoma eyes drops times.
SQL injection are used to hack massive multiplayer games such a WoW and bright eyes drops Silkroad Online as well. It has been an issue for years now!
runeklan
11th Oct
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

those stupid scareware things pop up all the time, I just kill ie and im fine. If people would learn the signs (internet explorer title bar) scareware wouldnt work
nickloss
30th Mar
- Reply to
- Flag
Just run NoScript on IE9

Oh that's right! There is no NoScript for IE9, the 'safest', most 'best' browser in the world!!

:P
LTV10
30th Mar
- Reply to
- Flag
Sandboxing is good and noscript isn't foolproof.

@LTV10

Allowing a script in another tab can be used by a sophisticated attack in the cache to the level of the user. I recently had to defend against such an attack in Firefox. In IE protected mode such an attack would have been restricted to the level of the browser.
Lester Young
30th Mar
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

Oh wait, this is Microsoft, nothing is secure.
james347
31st Mar
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

@james347

Right because breaches never happen on other platforms... oh wait:

http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html

Or this year's pwn2own contest:

http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

*All* platforms have flaws, not just Microsoft's. I'm platform agnostic, in the end it's about the right tool for the job. If you think your platform is 100% secure then it's clearly not even turned on.

-M
betelgeuse68
31st Mar
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

@james347 Where in the article does it mention Microsoft products? SQL injections are used to target web applications (PHP sites are notorious for being susceptible to it). This has nothing to do with Microsoft.
s_southern
4th Apr
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

@james347
yea, this is Microsoft, nothing is secure. Thanks !
Ar Condicionado Imoveis Acompanhantes Casa de Massagem
relaxarrel
21st Sep
- Reply to
- Flag
RE: Mass SQL injection attack leads to scareware

Gone are the days when web site attacks were perpetrated by lone hackers solely for a sense of one-upmanship. We are living in an age of industrialised cyber-crime where a large amount of money can be made from well-orchestrated attacks; the internet has become a popular tool for organised criminals.

However, this is not a new phenomenon, so how is it that the latest ?Lizamoon? attack has revealed many hundreds of thousands of websites still vulnerable to a common attack like SQL injection? The answer lies in the cost-prohibitive nature of high-grade website security. Banks, ecommerce and media sites invest in substantial perimeter security or ?application firewalls? that are very effective at deflecting malicious traffic ? but smaller businesses and other organisations where costs need to remain low are unable to foot the bill. Inevitably this means taking a calculated risk with their web presence.

So what can be done? Fortunately technology continues to evolve, and in recent years there have been two developments that might hold the key to long-term web integrity. The first is cloud computing, a very popular topic, but a concept that allows organisations to consume technology as a utility. Many providers already offer tariffs that include application firewalling. This allows smaller business to run their websites in the cloud and subscribe to a security service. This replaces the need to make a substantial up-front investment in hardware they have to install and manage themselves.

The second development has been virtualisation, where expensive servers that where once dedicated to specific tasks can be combined and consolidated into a shared platform, significantly reducing the cost of computing. Many security technologies have recently become available as virtualised workloads that can now be run on relatively inexpensive hardware ? and this includes the ability to protect the use of SQL in a data stream.

It?s time to wake up to the very real threat of cyber-crime.
Damian Saunders, Citrix
1st Apr
- Reply to
- Flag
Message has been deleted

Message has been deleted
james347
3rd Apr
- Reply to
- Flag

View More Comments

Talkback - Tell Us What You Think

Subject (max length: 75):

Reply: Formatting +

BB Codes - Note: HTML is not supported in forums

[b] Bold [/b]
[i] Italic [/i]
[u] Underline [/u]
[s] Strikethrough [/s]
[q] "Quote" [/q]

[ol][*] 1. Ordered List [/ol]
[ul][*] · Unordered List [/ul]
[pre] Preformat [/pre]
[quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Blogs From Our Sponsors

Vendor Showcase

TECH VISUALIZER Powered by Brocade

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources

HP DL980 Customer ChroniclesSince first introduced to the market, the next-generation HP ProLiant ... (Hewlett-Packard (HP))Download Now
ESG Product Brief: HP 3PAR Storage - Extending Tier 1 Storage ChoiceTraditionally, the top tier of data storage has been about performance and ... (Hewlett-Packard (HP))Download Now
ESG Market Report: Defining Tier 1 Storage in the Modern Data CenterModern data centers have evolved into a complex web of virtual machines ... (Hewlett-Packard (HP))Download Now

ZDNet is available in the following editions:

Special Reports

Hot Topics