At any given time, there are probably dozens of somewhat serious SQL injection attacks going on in various portions of the Internet. But many of them never get noticed by most people, either because they’re not widespread enough or they’re not hitting high-profile targets. There’s one that’s been ongoing for several weeks now that has hit a threshold that commands some attention: more than a million infected URLs.
The attack was first identified and disclosed by researchers at the SANS Internet Storm Center back in early December, and at the time there were only a few thousand infected pages. The attacks seemed to be targeting sites with backends running on IIS, ASP or Microsoft SQL Server, and there were some indications that the attackers had been doing reconnaissance on the infected sites for some time before the actual attack took place. The attack, which included a script that redirected users to a url at lilupophilupop.com, was similar to some other mass SQL injection attacks that have surfaced in recent years.
“Sources of the attack vary, it is automated and spreading fairly rapidly. The trail of the files ends up on “adobeflash page” or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected,” Mark Hofman of the SANS ISC wrote in the initial analysis of the attack.
The goal of the attack, like many others, seems to be to drive victims to a site that’s peddling fake AV or scareware. That’s where the monetization portion of the scheme comes in, with the attackers trying to lure victims into paying a license fee for a fake AV program they not only don’t need but that will likely cause other problems on their machines, as well.
Hofman said in a new analysis of the lilupophilupop SQL injection attack that the number of infected URLs is now more than one million, although there may be some duplicates included in that number. But, it’s not necessarily the raw number of infected URLs that’s most important in these attacks, but rather which sites are infected and where those pages live. Hofman’s analysis shows that the sites infected with the lilupophilupop code are all over the map, with tens of thousands of compromised pages in the U.K., the Netherlands, Germany, France and Denmark.
Large-scale SQL injection attacks have become a common method of compromise for attackers looking to find large numbers of victims with relatively little effort. Well-known attacks such as LizaMoon and another targeting IIS installations in 2010 have claimed huge numbers of compromised sites.