Serious SQL injection attacks occur all the time, but they often don’t get noticed because they are either not widespread enough or they’re not hitting high-profile targets. There’s one that has infected over one million URLs.
The attack was first identified and disclosed by researchers at the SANS Internet Storm Center back in early December, and at the time there were only a few thousand infected pages.
The attacks seemed to be targeting sites with backends running on IIS, ASP or Microsoft SQL Server, and there were some indications the attackers had been doing reconnaissance on the infected sites for some time before the actual attack took place. The attack, which included a script that redirected users to a url at lilupophilupop.com, was similar to some other mass SQL injection attacks that have surfaced in recent years.
“Sources of the attack vary, it is automated and spreading fairly rapidly. The trail of the files ends up on “adobeflash page” or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected,” said Mark Hofman of the SANS ISC on the initial analysis of the attack.
The goal of the attack, like many others, seems to be to drive victims to a site that’s peddling fake AV or scareware. That’s where the monetization portion of the scheme comes in, with the attackers trying to lure victims into paying a license fee for a fake AV program they not only don’t need but that will likely cause other problems on their machines, as well.
Hofman said in a new analysis of the lilupophilupop SQL injection attack the number of infected URLs is now more than one million, although there may be some duplicates included in that number. But, it’s not necessarily the raw number of infected URLs that’s most important in these attacks, but rather which sites suffer from the infection and where those pages live. Hofman’s analysis shows the sites infected with the lilupophilupop code are all over the map, with tens of thousands of compromised pages in the UK, the Netherlands, Germany, France and Denmark.
Large-scale SQL injection attacks have become a common method of compromise for attackers looking to find large numbers of victims with relatively little effort. Well-known attacks such as LizaMoon and another targeting IIS installations in 2010 claimed huge numbers of compromised sites.