The LizaMoon attack continues to infect thousands of vulnerable websites. While some technical articles have published alarming statistics that over-inflate total infections, this attack continues to spread and users should exercise caution with web search results, Facebook links, or email links.
LizaMoon Mass SQL Injection Attack Escalates Out of Control
LizaMoon – Excellent update and FAQ
QUOTE: The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack.
What’s the deal with the Lizamoon SQL injection?
QUOTE: The script that is loaded from the compromised web pages redirects the user to a malicious site. Ultimately, the attack is intended to infect users with fake AV (scareware). The distribution sites used typically use the “.cc” (Cocos Islands) or “.in” (India) TLDs. This frightening volume may be a little misleading, since the total is inflated by occurrences of the following HTML within the compromised web pages. As you can see, the injected code has been escaped in some cases, rendering the injection harmless.