Internet Hit By Massive LizaMoon SQL Injection Attack; installs rogue Windows Stability Center

Security firm, Web Sense has discovered an SQL Injection attack that directs the user to install rogue security software Windows Stability Center. The number of affected websites at the time of discovery was around 28,000 and as of now more that 500,000 websites have been affected by the attack meaning that the attack is moving at an alarmingly fast pace.

As stated, the attack is based on the SQL injection method, which takes advantage of poorly coded  applications. According to,

In this case, the SQL injection attacks were used to insert malicious code into back end databases,which was then served up to unsuspecting users. The attack was dubbed “LizaMoon” in recognition of a malicious Web domain, registered shortly before the attacks began, that has been used to serve up malicious links. That domain was offline at the time this report was filed, but a handful of other Web domains are mirroring the attack.

Users who click on a link to a Web site that has been compromised and injected with the malicious code, a PHP file is pushed to the user’s computer that redirects the browser to a Web site that installs rogue antivirus software known as Windows Stability Center.

This video explains how the attack works.

States  Web Sense:

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to according to preliminary Google Search results.

We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

A lot of iTunes related sites were also affected by the attack, but as the script tags are encoded, they cannot be executed.

So if you visit a site and get redirected to a security software site,there are chances that the site you accessed has been compromised. What you can do to protect yourselves is close the website window and scan you PC with a reputed antivirus solution such as the Microsoft Security Essentials.

Posted by on , in Category Security with Tags
Currently pursuing Bachelors in Electronics, the author Nithin Ramesh is a technology blogger. Apart from technology his other interests include cricket and rock music.