LizaMoon Mass SQL Injection Attack Points to Rogue AV Site

Websense Security Labs discovered a mass-injection campaign infecting more than 28,000 URLs, including a few Apple iTunes URLs that redirect users to a rogue AV site

Attackers have launched a large-scale SQL injection attack that has compromised several thousand legitimate Websites, including a few catalog pages from Apple's iTunes music store.

Websense Security Labs and the Websense Threatseeker Network discovered the mass-injection campaign that compromised over 28,000 URLs, including several iTunes URLs, according to Patrik Runald, a senior manager of security research at Websense Security Labs, who posted an alert on the Security Labs blog. The mass-injection attack has been named LizaMoon after the domain hosting the attack code.

Unlike the recent SQL injection attack that affected and, this mass injection is a SQL injection attack against a large volume of legitimate sites. The LizaMoon attack inserts a line of code referencing a PHP script that redirects users to another malware site.

There can be many SQL injection attacks going on at any given time, but a mass injection refers to a large number of sites being affected at once from a single source.

Websense Security Labs research shows that close to 80 percent of malicious Websites are legitimate sites that have been infected. "Sadly, these recent attacks are more examples of this ongoing wave," Runald said in an email to eWEEK.

In the case of iTunes, the attack focused on catalog pages displaying podcast information and the list of available episodes, which is downloaded from the publisher's RSS/XML feeds. Websense believes the feeds have been compromised with injected code, which is why the attack code was appearing on the iTunes pages. However, because iTunes encodes the script tags, users are protected from the attack because the script can't execute, according to Runald. "Good job, Apple," he wrote.

Websense recently reported malicious ads being served up by a third-party ad network on the free version of the Spotify streaming music service. Spotify removed all ads during the investigation, but turned them back on March 28.

"What we see with the recent Spotify malicious ads and the inclusion of a few iTunes URLs in this recent malicious campaign is that the bad guys are continuing their attempts to attack where the most people are," said Runald. Attackers know that these sites get a lot of traffic, which increases their chances of infecting somebody, he said.

The domain hosting the attack script and the malware site it directs to are both unavailable at this time, so users are currently safe, Runald said. "That could change at any time," as the links are already embedded on the pages and waiting for victims to come along, warned Runald. The PHP file appears to be a simple JavaScript code that redirects users to a well-known fake antivirus site.

The LizaMoon domain was registered on March 25. A screenshot from Websense shows clearly fake information in the WHOIS details, such as having a street address of "fylyiliyl" and a phone address of "5686865868." A second check on WHOIS at the end of the day March 29 showed updated information, with the domain being registered to an address in Plainview, N.Y., and the phone number listed as a legitimate landline.

It isn't clear at this time whether the updated registration information was an unsuspecting victim or the actual miscreant, although one would assume that an attacker would be a little smarter than that.