The state of website security has been steadily improving over the last few months. Website owners and administrators are beginning to wake up to the fact that malicious hackers can use legitimate, benign, websites to spread malware on the Internet. However, there is along way to go.
Just recently we have seen a spike in the number of incidents associated with LizaMoon infections we documented a while back. We have recorded approximately 6.3 million websites infected by malware as part of this SQL injection attack.
Read about LizaMoon in our first report: LizaMoon Hack: Mass SQL Injection
What links are injected?
Some of the most popular pieces of malware are being injected as scripts.
Samples are listed below:
src=hxxp://bookvoxy.com/ur.php src=hxxp://online-stats201.info/ur.php src=hxxp://vcvsta.com/ur.php src=hxxp://asweds.com/ur.php
Additional samples closely associated with the LizaMoon infection:
hxxp://multi-stats.info/ur.php hxxp://alisa-carter.com/ur.php hxxp://google-stats50.info/ur.php hxxp://tadygus.com/ur.php hxxp://google-stats49.info/ur.php hxxp://google-stats50.info/ur.php hxxp://milapop.com/ur.php hxxp://pop-stats.info/ur.php hxxp://sol-stats.info/ur.php hxxp://worid-of-books.com/ur.php hxxp://google-server12.info/ur.php hxxp://online-guest.info/ur.php hxxp://google-stats48.info/ur.php hxxp://general-st.info/ur.php hxxp://stats-master111.info/ur.php
Which sites are aiding the attack?
This blog entry (thanks, Dynamoo!) confirms our findings that these links are not only used in the distribution of malware but also in SEO poisoning campaigns.
Below is a list of sites used to spread the fraudulent SEO campaign as well as distribute malware.
bookmono.com bookmylo.com bookaros.com bookarra.com booknunu.com bookavio.com bookgusa.com bookmonn.com bookpolo.com bookdolo.com bookfula.com booksoco.com bookvoxy.com booksolo.com booktuba.com bookvila.com bookvivi.com booksgou.com
Who owns these malicious sites?
The registrant for these fake sites is a common entity:
James Northone (email@example.com) +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview, NY 1180 USA
How do I protect my site?
Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the cause of the SQL injection that allowed the site to be compromised.
StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.
Till next time…