Web Security

Lessons Learned From the LizaMoon SQL Injection Attack

By Alex RothackerLast week, a large scale SQL Injection attack dubbed LizaMoon, referencing one of the domain names used in the attack, surfaced. This attack targets websites by injecting code that redirects visitors to a rogue anti-virus (AV) site. While on the AV site, visitors are presented with fake antivirus screens and popups, they are prompted to download fake software that will run a scan of the computer and ask the user to pay for a license to remove the alleged found infection.

There’s a grand tradition in the security community of clever, cerebral and sometimes downright inane April Fool’s pranks. They often take the form of fake news stories about viruses, world-ending attacks or something involving Bruce Schneier and Chuck Norris. But the security world is bizarre enough on its own without any help, so we’ve collected some of the stranger, scarier and more entertaining true stories of recent times that we wish had been April Fool’s jokes.

Terry Coffey of Anchorage, Alaska, said that he first became aware of a problem with his iTunes account when he received a receipt for a $50 iTunes gift card purchase. Coffey, who says he’s careful with his money, was immediately suspicious and investigated the charge, but couldn’t find any record of it on any of his credit card statements. A closer look at his iTunes account revealed why: unknown assailants had seized control of his account and modified the credit card information associated with it. A different credit card number had been used, listing and Coffey’s address had been changed from Anchorage to a city in Tennessee. The fraudulent credit card account was used to purchase the gift card as well as a single iTunes song, Coffey said.

In the more than nine years since Bill Gates’s Trustworthy Computing email kicked off Microsoft’s comprehensive, company-wide security initiative, the company has not only committed a tremendous amount of money and resources to the project but also has been quite open and public about the process. This week, Microsoft released its first major report on the progress and changes in the Security Development Lifecycle program, detailing not only its progress but also the things that still need to be improved.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.