Record-Breaking Web Hijack Compromises 4M Pages
Posted: Tue Apr 05, 2011 7:08 pm
In taking advantage of a security loophole, hackers have hijacked as many as four million website pages over the past week. It's thought to be the biggest attack of its type, ever.
The attacks have been dubbed LizaMoon, named after the first destination to which visitors of hijacked sites were redirected.
The hijack campaign has proven to be incredibly successful: on the first day, security firm Websense estimated 28,000 web sites were affected, but within three days that figure had risen to 500,000. Two days later and the number of affected pages were estimated to be as high as three or four million. (Source: ibtimes.com)
SQL Injection Attack Used to Compromise Web Pages
The tactics used in the attack were straightforward.
An SQL injection attack was used by hackers to target web sites that rely on SQL databases to serve up web pages. Once a site was compromised, malicious links were inserted into web pages which then linked to scareware. The web pages in turn were downloaded automatically to any user that visited the page.
When a visiting user clicked on a malicious link, a screen appeared and claimed that the visitor's computer was infected with malicious software, such as virus. It then offered to sell what is billed as security software, but is in fact fake security software.
Not only is this software almost always bogus, but it almost always means the criminals can get hold of user's credit card details.
Attack Based on Sophisticated Design
This particular hack appears to be relatively sophisticated.
For example, online shopping sites like Amazon.com have thousands of items listed in their database which is searchable online.
An SQL injection involves taking advantage of a bug in form fields whereby web sites don't control text a user can input (such as limiting them to a particular phrase or demanding a date format).
In this case, the SQL attack didn't just link to one of the hackers' sites, but 21 different locations. The good news is that most if not all of these sites have been shut down since the attacks began, limiting the effects of the attack. (Source: bbc.co.uk)
Only Small-Medium Web Sites Targeted
It's also notable that the sites coming under attack aren't those of major organizations, such as government agencies or large businesses.
Instead, the websites which were compromised in the attack were smaller businesses and groups, meaning the sites were big enough that it's efficient to target their audience, but small enough that the security defenses -- and the speed at which site owners can deal with the problem -- is much more limited.
Web users should be aware that the security issues with SQL attacks has more to do with insecure websites, and not so much the security of users' PCs.
While there aren't any specific technical measures online users should take to avoid an SQL attack (since the attack has to do with a remotely infected web server), all users should be particularly wary about any unexpected messages that appear on their screen, especially those purporting to "fix" an infection.
The attacks have been dubbed LizaMoon, named after the first destination to which visitors of hijacked sites were redirected.
The hijack campaign has proven to be incredibly successful: on the first day, security firm Websense estimated 28,000 web sites were affected, but within three days that figure had risen to 500,000. Two days later and the number of affected pages were estimated to be as high as three or four million. (Source: ibtimes.com)
SQL Injection Attack Used to Compromise Web Pages
The tactics used in the attack were straightforward.
An SQL injection attack was used by hackers to target web sites that rely on SQL databases to serve up web pages. Once a site was compromised, malicious links were inserted into web pages which then linked to scareware. The web pages in turn were downloaded automatically to any user that visited the page.
When a visiting user clicked on a malicious link, a screen appeared and claimed that the visitor's computer was infected with malicious software, such as virus. It then offered to sell what is billed as security software, but is in fact fake security software.
Not only is this software almost always bogus, but it almost always means the criminals can get hold of user's credit card details.
Attack Based on Sophisticated Design
This particular hack appears to be relatively sophisticated.
For example, online shopping sites like Amazon.com have thousands of items listed in their database which is searchable online.
An SQL injection involves taking advantage of a bug in form fields whereby web sites don't control text a user can input (such as limiting them to a particular phrase or demanding a date format).
In this case, the SQL attack didn't just link to one of the hackers' sites, but 21 different locations. The good news is that most if not all of these sites have been shut down since the attacks began, limiting the effects of the attack. (Source: bbc.co.uk)
Only Small-Medium Web Sites Targeted
It's also notable that the sites coming under attack aren't those of major organizations, such as government agencies or large businesses.
Instead, the websites which were compromised in the attack were smaller businesses and groups, meaning the sites were big enough that it's efficient to target their audience, but small enough that the security defenses -- and the speed at which site owners can deal with the problem -- is much more limited.
Web users should be aware that the security issues with SQL attacks has more to do with insecure websites, and not so much the security of users' PCs.
While there aren't any specific technical measures online users should take to avoid an SQL attack (since the attack has to do with a remotely infected web server), all users should be particularly wary about any unexpected messages that appear on their screen, especially those purporting to "fix" an infection.