LizaMoon - a Mass-Injection Cyberattack

Hundreds of thousands -- and possibly millions -- of websites have been hit with a cyberattack that some are calling "one of the biggest mass-injection attacks we've ever seen."

A huge SQL-Injection Attack is happening right now.

What has happened?

LizaMoon is a SQL injection attack that inserts malicious code on otherwise legitimate sites. It seems the attack uses a vulnerability in a common web application but it is so far unknown which. Security analysts are currently reviewing the attack. The vulnerability might be restricted to Microsoft MSSQL Server, but it is unlikely that it is a vulnerability in Microsofts MSSQL Server itself. Everything points to that this is a vulnerability in a web application. One of the first domains seen involved in this attack was called lizamoon.com.

Microsoft is aware of reports of an ongoing SQL injection attack. Our investigation has determined these sites were exploited using a vulnerability in certain third-party content management systems. This is not a Microsoft vulnerability.

I did not, however, get a hint as to the identity of the “third-party content management system."

What happens?

The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems.

If you visit an injected site you will be redirected to a scareware rouge anti-virus site. What happens if you install this binary you can see in the following video.

How can i check whether my site got hit or not?

Check your URL-Query-Logs for an occurance like this:

How many sites are infected

Recent estimates differ between 500.000 and 5 million sites. Based on a simple Google-Search i found 1.570.000 entries.

More Information