Tens of thousands of web sites affected in ongoing mass SQL injection attack

Updated on: 2012-03-27 || Source: blog.webroot.com

Hundreds of thousands of legitimate web sites are currently affected in a a mass SQL injection attack that has been ongoing for the past several months. The ongoing mass SQL injection attacks, are directly related to last year’s scareware-serving Lizamoon mass SQL injection attacks.

The cybercriminals behind it, are automatically exploiting the legitimate web sites, and embedding a tiny script on the affected pages, abusing an input validation flaw, or exploiting vulnerable and outdated versions of the web application software running on them.

More details:

The campaign is currently consisting of 5 SQL injected domains parked on a single IP hosted within the Russian Federation.

Parked at (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”) are the following domains participating in the mass SQL injection attack:

  • hjfghj.com/r.php – According to Google, 323,000 sites are affected
  • fgthyj.com/r.php – According to Google, 390,000 sites are affected
  • gbfhju.com/r.php – According to Google, 74,200 sites are affected
  • statsmy.com/ur.php – According to Google, 3,080,000 sites are affected
  • stmyst.com/ur.php – According to Google, 1,320,000 sites are affected
All of these domains have been registered by the same cybercriminal/gang, using identical WHOIS records:

James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803

Thankfully, all of these domains are currently returning a “404 Not Found” error message, with the cybercriminals behind the campaign, attempting to cover their tracks.

What’s particularly interesting about this campaign, is the fact that the same cybercriminals behind the most recent attacks, have been pretty active throughout 2011, having launched several more mass SQL injection attacks, whose injected domains have been registered with the same email as the currently injected domains - jamesnorthone@hotmailbox.com

In 2011′s Lizamoon mass SQL injection attacks, the same gang that’s behind the ongoing attacks, was monetizing the hijacked traffic by serving fake security software, also known as scareware to Web users.


Analyzing the AS56697, asynchronous network, that’s suspiciously using a Gmail account for contact – sdelanocompletservice@gmail.com — we seen several other currently active malware campaigns hosted within the same AS.
Webroot’s security researchers will continue monitoring these ongoing mass SQL injection attacks, to ensure that Webroot SecureAnywhere customers are protected from this threat.


Blackphone 2 'privacy' Android handset revamped
Security firm Silent Circle has revamped its smartphone that helps people manage personal data.
Chinese smartphones mount massive web attack
More than 650,000 Chinese smartphones have been unwittingly enrolled in a massive attack that overwhelmed a web
Hilton investigates hack claims
The Hilton hotel group has said it is investigating claims its US shops and gift stores may be the source of
Twitter website 'blocked' in Turkey
Twitter users in Turkey report that the social media site has been blocked in the country.


Sign up to received our free newsletter!
E-mail ID:


Views: 5115 Times
10 obscure Word tricks that can expedite common chores READ MORE
Views: 2978 Times
Google Apps Gets ISO 27001 Security Certification READ MORE
Views: 2927 Times
Facebook, Zuckerberg sued over IPO READ MORE
Views: 5475 Times
Top 10 Tips to protect yourself against computer viruses READ MORE
Views: 7411 Times
Learn HTML - Lesson 3 READ MORE

Home|IT News|Computer Tips|Video Tutorials|Download Softwares|Subjects|Contact Us
Copyright © 2018. Jumbo Education (Information Technology). All rights reserved.
Free counter and web stats

Large Visitor Globe