More Than 1 Million URLs Infected with Latest SQL Injection Attack -- Redmondmag.com

More Than 1 Million URLs Infected with Latest SQL Injection Attack

By Chris Paoli
01/05/2012

The "Lilupophilupop" SQL injection campaign has infected 1,070,000 URLs as of last weekend, according to the SANS Internet Storm Center.

This is up substantially from when the SQL attack was first noticed by SANS at the beginning of December -- the security firm only found 80 corrupted URLs. The cause of the quick spread is due to both computer and human input.

"At the moment it looks like it is partially automated and partially manual," wrote Mark Hofman, a SANS Internet Storm Center handler, in a company blog post. "The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period."

According to SANS estimates, Netherlands Web sites (ending in the .NL domain) are the No. 1 victim, with 123,000 infected URLs, with France coming in second with 68,100 hijacked Web site addresses.

However, the more than 1 million sites estimated to be infected may be higher than the reality. According to Mary Landesmann, a ScanSafe security researcher (which is now part of Cisco), the number provided by SANS also may include Web sites discussing the Lilupophilupop attack, due to the fact that the company's data was compiled by performing Google searches.

"As a result, there is always a huge 'increase' [of keyword activity] after an initial public report is made, said Landesmann to Security Dark Reading. "In other words, counting the number of results from a search engine isn’t a good or viable means of measuring the breadth of a compromise."

The Lilupophilupop attack, named after the Web site infected URLs redirect to, is a basic SQL injection that could lead to an attacker gaining access to a user's database of Internet content, including passwords, credit card information and other personal data.

This newest SQL injection incident works in the same fashion as last year's LizaMoon attack, which was responsible for redirecting as many as 1.5 million URLs to a fake and malicious antivirus download.

As with all untrusted Web sites, always use caution and make sure your antivirus is up to date. Hofman also suggests the specific action of checking to see whether a site may have fallen victim to the Lilupophilupop injection attack: "If you want to find out if you have a problem just search for '<script src="http://lilupophilupop.com/' in Google and use the site: parameter to hone in on your domain."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.