Lizamoon Attack: Over 1 Million Websites Infected, Display Fake Warning for Security Fix

Over 1 million websites were known to be infected with malicious code that causes web viewers to see a warning posing as a Microsoft Security Alert — the Windows Stability Center — reporting that there are problems with the user’s computer.

The warning can appear on website pages not affected by Lizamoon –resulting from infection from a visit to a previous site. If a user clicks OK to the warning, a fake scanning process begins, showing multiple infections.


When a web visitor arrives on the infected page, the malicious code directs the browser to the malicious site, which displays a phony dialog box alerting the user to the presence of a supposed virus that can only be removed by buying an anti-virus product. In this case the alert appears to come from the Microsoft Stability Center — a product name that doesn’t even exist. The antivirus software is offered at the rate of $49.95 for a six-month license, $59.95 for a year, or $79.95 for a lifetime, with lifetime support available at the bargain rate of $19.95.

Lizamoon was named after the first website found to be infected with harmful script on March 29, 2011. LizaMoon mass-injection is a SQL injection attack that inserts a php code into the code of the web page that is served to users.

The security firm Websense released a video to explain the scareware, which explains the fake warning and what happens when a user is fooled by fake processes and fake alerts, before finally being prompted to pay for software to repair the security issues:


Video from Websense shows what happens when a user visits a site that has been injected with the LizaMoon mass injection.

Several iTunes podcast feeds were affected because iTunes downloads RSS/XML feeds from publishers to update the podcast and list of available episodes. If the publisher’s website was infected, according to a belief of Websense, the RSS/XML feeds have also been compromised with the injected code. Fortunately iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer.


Search result that shows websites infected by malicious scripts.

Notice that Google works to identify sites that have been infected and takes two steps to help users: (1) Immediately below the title of the infected website, Google inserts a notice “This site may harm your computer”. If you click on that link, users are sent to a Google page that explains the warning. (2) Google links the title of the harmful website to a ‘one more chance’ page from Google where users are given suggestions to return to the search results page and pick another result or try a different search. Users are still given the option to proceed to the infected site.

So far the damage to web visitors only appears to be to those individuals who submitted credit card information and paid for the fake antivirus software.

See also …
websense security labs BLOG Update on LizaMoon mass-injection and Q&A

websense security labs BLOG LizaMoon mass injection hits over 226,000 URLs (was 28,000)