Mass SQL injection attack leads to scareware

Mass SQL injection attack leads to scareware

Summary: Security researchers from WebSense have detected a mass SQL injection attack, which the cybercriminals monetize through scareware, also known as fake security software.

SHARE:

Security researchers from WebSense have detected a mass SQL injection attack (hxxp://lizamoon.com; 58,300 affected pages), which the cybercriminals monetize through scareware, also known as fake security software. The attack has also affected several iTunes web pages.

UPDATED: Additional information regarding the campaign is available: Dissecting the Massive SQL Injection Attack Serving Scareware.

More details:

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.

From the perspective of the attacker, mass SQL injection attacks are highly beneficial from a blackhat SEO (blackhat search engine optimization) perspective, as they hijack both the affected web site's page rank, including the SEO-friendly content that comes with it. Compared to malvertising attacks, mass SQL injection attacks have declined in recent months, indicating a migration trend towards shorter, but more traffic-intensive windows of opportunities for malicious attackers to take advantage of thanks to malvertising.

Users are advised to use NoScript, as well as go through the Ultimate Guide to Scareware Protection.

See also:

Topics: Enterprise Software, Data Centers, Data Management, Security, Software, Software Development

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • This stuff has been going on forever.

    This stuff has been going on forever. When are they actually going to catch the criminals and stick there butts in jail where they belong.
    Stan57
    • RE: Mass SQL injection attack leads to scareware

      @Stan57

      Many of these people are NOT in the US, e.g.:

      http://www.wired.com/magazine/2011/01/ff_hackerville_romania/

      Having contracted at a large financial institution on the East Coast, fraudulent Electronic Fund Transfers (EFTs) to former Soviet Eastern Block countries are "par for the course".

      Many of those countries are a** backward - law enforcement doesn't either care or have the resources or sadly, principles. And of course US law enforcement agencies have no jurisdiction.

      In addition there's likely a schadenfreude (glee in others' misery) factor, e.g., "Hey, it's the US, 'they' can afford it, they're rich."

      -M
      betelgeuse68
      • Celebrate

        @betelgeuse68
        Hey, at least we won the Cold War, didn't we? Where is the Soviet Union now? (sarcasm on)
        sissy sue
    • RE: Mass SQL injection attack leads to scareware

      @Stan57
      Yea, This stuff has been going on forever...thanks!
      <p><a href="http://www.e-arcondicionado.com/">Ar Condicionado</a> <a href="http://www.imoveisexpress.com.br/">Imoveis</a> <a href="http://www.acompanhantes.org/">Acompanhantes</a> <a href="http://www.webdocorpo.com.br/massagistas">Casa de Massagem</a></p>
      arbarbara
    • RE: Mass SQL injection attack leads to scareware

      @Stan57

      "Security researchers from WebSense have detected a mass SQL injection <strong><a href="http://learnviolinonlinehq.com/">learn violin online</a></strong> attack, which the cybercriminals monetize through scareware, also known as fake security software."
      This is a big issue, really! I've been attacked myself by it a couple of <strong><a href="http://glaucomaeyedrops.com/">glaucoma eyes drops</a></strong> times.
      SQL injection are used to hack massive multiplayer games such a WoW and <strong><a href="http://brighteyesdrops.com/">bright eyes drops</a></strong> Silkroad Online as well. It has been an issue for years now!
      runeklan
  • RE: Mass SQL injection attack leads to scareware

    those stupid scareware things pop up all the time, I just kill ie and im fine. If people would learn the signs (internet explorer title bar) scareware wouldnt work
    nickloss
  • Just run NoScript on IE9

    Oh that's right! There is no NoScript for IE9, the 'safest', most 'best' browser in the world!!

    :P
    LTV10
    • Sandboxing is good and noscript isn't foolproof.

      @LTV10

      Allowing a script in another tab can be used by a sophisticated attack in the cache to the level of the user. I recently had to defend against such an attack in Firefox. In IE protected mode such an attack would have been restricted to the level of the browser.
      Lester Young
  • RE: Mass SQL injection attack leads to scareware

    Oh wait, this is Microsoft, nothing is secure.
    james347
    • RE: Mass SQL injection attack leads to scareware

      @james347 <br><br>Right because breaches never happen on other platforms... oh wait:<br><br><a href="http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html" target="_blank" rel="nofollow"><a href="http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html" target="_blank" rel="nofollow">http://techie-buzz.com/tech-news/mysql-com-database-compromised-sql-injection.html</a></a><br><br>Or this year's pwn2own contest:<br><br><a href="http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358" target="_blank" rel="nofollow"><a href="http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358" target="_blank" rel="nofollow">http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358</a></a><br><br>*All* platforms have flaws, not just Microsoft's. I'm platform agnostic, in the end it's about the right tool for the job. If you think your platform is 100% secure then it's clearly not even turned on.<br><br>-M
      betelgeuse68
    • RE: Mass SQL injection attack leads to scareware

      @james347 Where in the article does it mention Microsoft products? SQL injections are used to target web applications (PHP sites are notorious for being susceptible to it). This has nothing to do with Microsoft.
      s_southern
    • RE: Mass SQL injection attack leads to scareware

      @james347
      yea, this is Microsoft, nothing is secure. Thanks !
      <p><a href="http://www.e-arcondicionado.com/">Ar Condicionado</a> <a href="http://www.imoveisexpress.com.br/">Imoveis</a> <a href="http://www.acompanhantes.org/">Acompanhantes</a> <a href="http://www.webdocorpo.com.br/massagistas">Casa de Massagem</a></p>
      relaxarrel
  • RE: Mass SQL injection attack leads to scareware

    Gone are the days when web site attacks were perpetrated by lone hackers solely for a sense of one-upmanship. We are living in an age of industrialised cyber-crime where a large amount of money can be made from well-orchestrated attacks; the internet has become a popular tool for organised criminals.

    However, this is not a new phenomenon, so how is it that the latest ?Lizamoon? attack has revealed many hundreds of thousands of websites still vulnerable to a common attack like SQL injection? The answer lies in the cost-prohibitive nature of high-grade website security. Banks, ecommerce and media sites invest in substantial perimeter security or ?application firewalls? that are very effective at deflecting malicious traffic ? but smaller businesses and other organisations where costs need to remain low are unable to foot the bill. Inevitably this means taking a calculated risk with their web presence.

    So what can be done? Fortunately technology continues to evolve, and in recent years there have been two developments that might hold the key to long-term web integrity. The first is cloud computing, a very popular topic, but a concept that allows organisations to consume technology as a utility. Many providers already offer tariffs that include application firewalling. This allows smaller business to run their websites in the cloud and subscribe to a security service. This replaces the need to make a substantial up-front investment in hardware they have to install and manage themselves.

    The second development has been virtualisation, where expensive servers that where once dedicated to specific tasks can be combined and consolidated into a shared platform, significantly reducing the cost of computing. Many security technologies have recently become available as virtualised workloads that can now be run on relatively inexpensive hardware ? and this includes the ability to protect the use of SQL in a data stream.

    It?s time to wake up to the very real threat of cyber-crime.
    Damian Saunders, Citrix
  • Message has been deleted

    Message has been deleted
    james347
  • RE: Mass SQL injection attack leads to scareware

    Of course, it's MS.
    james347
  • RE: Mass SQL injection attack leads to scareware

    Many of these people are NOT in the US, e.g.:

    http://www.wired.com/magazine/2011/01/ff_hackerville_romania/

    http://www.dacsandatphanrang.com/muc-suc-khoe/blog.html

    Having contracted at a large financial institution on the East Coast, fraudulent Electronic Fund Transfers (EFTs) to former Soviet Eastern Block countries are "par for the course".

    Many of those countries are a** backward - law enforcement doesn't either care or have the resources or sadly, principles. And of course US law enforcement agencies have no jurisdiction.
    ALISON SMOCK
  • RE: Mass SQL injection attack leads to scareware

    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam
    myclub
  • RE: Mass SQL injection attack leads to scareware

    Great!!! thanks for sharing this information to us!

    <a href="http://www.yuregininsesi.com" title="seslichat">sesli chat</a> <a href="http://www.yuregininsesi.com" title="seslisohbet">sesli sohbet</a>
    talih
  • &lt;a href=&quot;http://www.secure-bytes.com/&quot; rel=&quot;nofollow&quot;&gt;Security Tools&lt;/a&gt;

    When sensitive information is transmitted outside of trusted systems, it should be encrypted to preserve confidentiality. An example of this is the information gathered from the credit cards.
    tom.sin