Tens of thousands of web sites affected in ongoing mass SQL injection attack

Tens of thousands of web sites affected in ongoing mass SQL injection attack

by | Mar 26, 2012 | Industry Intel, Threat Lab

Reading Time: ~ 2 min.

Hundreds of thousands of legitimate web sites are currently affected in a a mass SQL injection attack that has been ongoing for the past several months. The ongoing mass SQL injection attacks, are directly related to last year’s scareware-serving Lizamoon mass SQL injection attacks.

The cybercriminals behind it, are automatically exploiting the legitimate web sites, and embedding a tiny script on the affected pages, abusing an input validation flaw, or exploiting vulnerable and outdated versions of the web application software running on them.

More details:

The campaign is currently consisting of 5 SQL injected domains parked on a single IP hosted within the Russian Federation.

Parked at 91.226.78.148 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”) are the following domains participating in the mass SQL injection attack:

  • hjfghj.com/r.php – According to Google, 323,000 sites are affected
  • fgthyj.com/r.php – According to Google, 390,000 sites are affected
  • gbfhju.com/r.php – According to Google, 74,200 sites are affected
  • statsmy.com/ur.php – According to Google, 3,080,000 sites are affected
  • stmyst.com/ur.php – According to Google, 1,320,000 sites are affected
All of these domains have been registered by the same cybercriminal/gang, using identical WHOIS records:

JamesNorthone
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

Thankfully, all of these domains are currently returning a “404 Not Found” error message, with the cybercriminals behind the campaign, attempting to cover their tracks.

What’s particularly interesting about this campaign, is the fact that the same cybercriminals behind the most recent attacks, have been pretty active throughout 2011, having launched several more mass SQL injection attacks, whose injected domains have been registered with the same email as the currently injected domains – jamesnorthone@hotmailbox.com

In 2011’s Lizamoon mass SQL injection attacks, the same gang that’s behind the ongoing attacks, was monetizing the hijacked traffic by serving fake security software, also known as scareware to Web users.

See:

Analyzing the AS56697, asynchronous network, that’s suspiciously using a Gmail account for contact — sdelanocompletservice@gmail.com — we seen several other currently active malware campaigns hosted within the same AS.
Webroot’s security researchers will continue monitoring these ongoing mass SQL injection attacks, to ensure that Webroot SecureAnywhere customers are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

1 Comment

  1. drat2000
    drat2000 on May 8, 2012 at 1:54 pm

    Well another scary projects from Lizamoon..

Trackbacks/Pingbacks

  1. Thousands of Websites Hit by Ongoing Mass SQL Injection Attack | Technology News, Computer Security - Hyphenet Blog - [...] researchers at Webroot warn that another massive SQL injection attack is currently underway and that hundreds of thousands of…
  2. 100.000-en websites gehackt via SQL-aanval | Tech-nieuws - [...] is opgemerkt en geanalyseerd door beveiligingsbedrijf WebRoot. Security-expert Dancho Danchev blogt dat de huidige oorsprong van deze geautomatiseerde infectiecampagne…
  3. French gaming site serving ZeuS crimeware for over 8 weeks | ZDNet - [...] surprisingly, hundreds of  thousands of legitimate web sites remain susceptible to remote exploitation, which on the majority of occasions…
  4. French gaming site serving ZeuS crimeware for over 8 weeks « onetimecode - [...] surprisingly, hundreds of thousands of legitimate web sites remain susceptible to remote exploitation, which on the majority of occasions…
  5. Infections At Medical Device Firm Lasted For Months | CurtisSimms.com - [...] LizaMoon attacks date to March of 2011 and affected more than a million Web sites with malicious links to…
  6. Webroot’s Threat Blog Most Popular Posts for 2012 « Webroot Threat Blog – Internet Security Threat Updates from Around the World - [...] Tens of thousands of websites affected in ongoing mass SQL injection attack – With hundreds of thousands of websites…
  7. Infections At Medical Device Firm Lasted For Months | Threatpost - [...] LizaMoon attacks date to March of 2011 and affected more than a million Web sites with malicious links to…
  8. Thousands of Websites Hit by Ongoing Mass SQL Injection Attack - […] researchers at Webroot warn that another massive SQL injection attack is currently underway and that hundreds of thousands of…
Share This