Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Personal Tech / LizaMoon Pay-Up Scareware Spreads
LizaMoon Pay-Up Scareware Spreads To 500,000 Sites
LizaMoon Pay-Up Scareware Spreads To 500,000 Sites
By Mark Long / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Websense Security Labs has updated its Tuesday alert concerning a malicious mass-injection scareware campaign it has dubbed LizaMoon -- an SQL injection attack that adds a line of JavaScript code to web pages that redirects users to a bogus web page that rotates on a periodic basis. Based on Google search results Thursday, more than 500,000 URLs had a script link to, which has since been changed, Websense said.

Though search results aren't always great indicators of the scope of an attack -- Google search lists each unique URL rather than each domain or site -- they do provide some indication of the scope of the problem when the numbers go up or down, Websense observed.

"We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought," Websense security analysts wrote in a blog Thursday. "All in all, a Google search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack."

Bogus Malware Reports

A user who visits a web page with the injected code is redirected to a bogus Internet site. "Just like most other scareware and rogue AV sites, it shows a pop-up warning saying that your security is at risk and that you have malware and other security issues," said a Websense spokesperson. "And when you click OK, it displays a scanning tool that looks like its going through the hard drive and finding all sorts of malware, but it's all fake, of course."

Users who click "remove all" to fix their fake problems end up downloading an executable rogue AV to their machines. Then when the unsuspecting user starts the rogue tool, it kills whatever program is currently running.

Nothing else happens until the user tries to start the legitimate program again, at which point the scareware displays a fake Trojan alert. If the user then clicks "remove," the rogue AV escalates to the next stage by prompting the user to install the full-blown scareware app.

This second-stage software, which displays the bogus name Windows Stability Center, warns that there are lots of problems on the user's PC. "To fix them you have to pay for the full version of the app," Websense explained.

Antivirus Engines Still Vulnerable

Though the LizaMoon threat is global, Websense reported nearly half the traffic to the scareware's bogus web sites is coming from U.S. Internet users. Other nations where a considerable number of PC users are falling prey to LizaMoon include Canada (9.23 percent), Italy (8.89 percent), Brazil (7.92 percent) and the United Kingdom (7.92 percent).

Websense said there really hasn't been anything this big before and the threat isn't expected to go away anytime soon. The problem is that only 17 out of 43 of the currently available antivirus engines -- from Kaspersky, Microsoft, Sophos, Symantec, Trendmicro, VIPRE and others -- were able to detect the LizaMoon rogue AV as of Friday afternoon, according to web-security firm VirusTotal.

Websense said it's still analyzing the scareware to see how it infects web pages. However, the security firm's researchers suspect that the attack has gained such widespread traction because it has been able to exploit "vulnerabilities in the web systems used by these sites, such as outdated CMS and blog systems."

Tell Us What You Think


Posted: 2011-04-01 @ 2:20pm PT
It's not SQL injection if it's inserting javascript into a web url.

Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.