Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viral Scareware Infects Four Million Websites

Posted by timothy on from the warning-your-computer-may-be-at-risk dept.

oxide7 writes "A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon."

4 of 71 comments (clear)

  1. Original post... by Zapotek · · Score: 3, Informative

    http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

  2. Re:Stupid by Haedrian · · Score: 4, Informative

    Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.

    SQL injections and XSS attacks aren't necessarily related.

    XSS attacks require you to push the parameters in the URL itself. If an attacker modifies the SQL, they don't need to change anything, you just visit the site, and they'd change it 'server side' instead. So its much more dangerous, and there's no real way for the user to avoid it - except of course turning off scripts I would assume. And being careful about links.

  3. Re:more information by grcumb · · Score: 5, Informative

    which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

    As others have noted, the original article is much more informative.

    First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server, but because the injection seems only to work on a web app that's designed to run this DBMS in the back end, The article authors note that they don't know which application this is, however. This seems a little surprising, given that they should be able to spot the commonality between all the infected sites.

    Second, to determine whether your server is affected, just check to see whether your site now has an URL like http://domainname/ur.php. If it does, you're infected. If you run on Linux and Apache, it looks like you're safe from this particular attack.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  4. Re:Can someone explain why this scam works? by Anonymous Coward · · Score: 2, Informative

    Scammers sometimes use "mules", people who are in desperate need of a job and agree to handle payments to "a foreign business that needs a representative in the country". They receive the money and then use something like Western Union to funnel the money to the "business"/scammers in an untraceable way. Money laundering isn't just for drug cartels anymore. If you take a stroll through your spam folder, you'll probably find a few "job offers" like that. Needless to say, this is very illegal and nobody should even consider participating in something like that, no matter how desperate they are. The mules get caught every time.