Websense Security Labs discovered a mass-injection campaign infecting more than 28,000 URLs, including a few Apple iTunes URLs that redirect users to a rogue AV site
Attackers
have launched a large-scale SQL injection attack that has compromised several
thousand legitimate Websites, including a few catalog pages from Apple's iTunes
music store.
Websense
Security Labs and the Websense Threatseeker Network discovered the
mass-injection campaign that compromised over 28,000 URLs, including several
iTunes URLs, according to Patrik Runald, a senior manager of security research
at Websense Security Labs, who posted an alert on the Security
Labs blog. The mass-injection attack has been named LizaMoon after the
domain hosting the attack code.
Unlike
the recent SQL injection attack that affected MySQL.com
and Sun.com,
this mass injection is a SQL injection attack against a large volume of
legitimate sites. The LizaMoon attack inserts a line of code referencing a PHP
script that redirects users to another malware site.
There
can be many SQL injection attacks going on at any given time, but a mass injection
refers to a large number of sites being affected at once from a single source.
Websense
Security Labs research shows that close to 80 percent of malicious Websites are
legitimate sites that have been infected. "Sadly, these recent attacks are
more examples of this ongoing wave," Runald said in an email to eWEEK.
In
the case of iTunes, the attack focused on catalog pages displaying podcast
information and the list of available episodes, which is downloaded from the
publisher's RSS/XML feeds. Websense believes the feeds have been compromised
with injected code, which is why the attack code was appearing on the iTunes
pages. However, because iTunes encodes the script tags, users are protected
from the attack because the script can't execute, according to Runald. "Good
job, Apple," he wrote.
Websense
recently reported malicious ads being served up by a third-party ad network on
the free version of
the Spotify streaming music service. Spotify removed all ads during the
investigation, but turned them back on March 28.
"What
we see with the recent Spotify malicious ads and the inclusion of a
few iTunes URLs in this recent malicious campaign is that the bad guys are
continuing their attempts to attack where the most people are," said Runald.
Attackers know that these sites get a lot of traffic, which increases their
chances of infecting somebody, he said.
The
domain hosting the attack script and the malware site it directs to are both
unavailable at this time, so users are currently safe, Runald said. "That
could change at any time," as the links are already embedded on the pages
and waiting for victims to come along, warned Runald. The PHP file appears to
be a simple JavaScript code that redirects users to a well-known fake antivirus
site.
The
LizaMoon domain was registered on March 25. A screenshot from Websense shows
clearly fake information in the WHOIS details, such as having a street address
of "fylyiliyl" and a phone address of "5686865868." A
second check on WHOIS at the end of the day March 29 showed updated
information, with the domain being registered to an address in Plainview,
N.Y., and the phone number listed as a
legitimate landline.
It
isn't clear at this time whether the updated registration information was an
unsuspecting victim or the actual miscreant, although one would assume that an
attacker would be a little smarter than that.
Email
Print
