TwitterACicon86x90vert facebookACicon86x90vert
TV/Radio XFINITY | WOW! | WBBM | WXRT | B96 + Dance | US99 | the Drive 97.1

YoutubeTwitterFacebookArlingtoncardinalYahoo! Google Bing Aol.ArlingtoncardinalTMZ Rotten Tomatoes ET Online Box Office MojoArlingtoncardinal Channel 9 WGN Channel 7 Chicago ABC Channel 5 Chicago NBC Channel 2 Chicago CBS Daily HeraldChicago Tribune Breaking NewsArlingtoncardinal Chicago Gas THE GUIDE

Lizamoon Attack: Over 1 Million Websites Infected, Display Fake Warning for Security Fix

Sun April 03 2011 10:33 am
Share The Cardinal -- Articles (E-Mail, Facebook, Twitter & More) 

CHICAGO BEARS RADIO -- WBBM Newsradio 780 "Traffic on the 8's"

Over 1 million websites were known to be infected with malicious code that causes web viewers to see a warning posing as a Microsoft Security Alert — the Windows Stability Center — reporting that there are problems with the user’s computer.

The warning can appear on website pages not affected by Lizamoon –resulting from infection from a visit to a previous site. If a user clicks OK to the warning, a fake scanning process begins, showing multiple infections.

When a web visitor arrives on the infected page, the malicious code directs the browser to the malicious site, which displays a phony dialog box alerting the user to the presence of a supposed virus that can only be removed by buying an anti-virus product. In this case the alert appears to come from the Microsoft Stability Center — a product name that doesn’t even exist. The antivirus software is offered at the rate of $49.95 for a six-month license, $59.95 for a year, or $79.95 for a lifetime, with lifetime support available at the bargain rate of $19.95.

Lizamoon was named after the first website found to be infected with harmful script on March 29, 2011. LizaMoon mass-injection is a SQL injection attack that inserts a php code into the code of the web page that is served to users.

The security firm Websense released a video to explain the scareware, which explains the fake warning and what happens when a user is fooled by fake processes and fake alerts, before finally being prompted to pay for software to repair the security issues:

Video from Websense shows what happens when a user visits a site that has been injected with the LizaMoon mass injection.

Several iTunes podcast feeds were affected because iTunes downloads RSS/XML feeds from publishers to update the podcast and list of available episodes. If the publisher’s website was infected, according to a belief of Websense, the RSS/XML feeds have also been compromised with the injected code. Fortunately iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer.

Search result that shows websites infected by malicious scripts.

Notice that Google works to identify sites that have been infected and takes two steps to help users: (1) Immediately below the title of the infected website, Google inserts a notice “This site may harm your computer”. If you click on that link, users are sent to a Google page that explains the warning. (2) Google links the title of the harmful website to a ‘one more chance’ page from Google where users are given suggestions to return to the search results page and pick another result or try a different search. Users are still given the option to proceed to the infected site.

So far the damage to web visitors only appears to be to those individuals who submitted credit card information and paid for the fake antivirus software.

See also …
websense security labs BLOG Update on LizaMoon mass-injection and Q&A

websense security labs BLOG LizaMoon mass injection hits over 226,000 URLs (was 28,000)

CLEAR SKIES?  Weather Data for Sunday, April 3rd, 2011

Tags: , , , , , , , , ,    

IMPORTANT NOTE: All persons referred to as subjects, defendants, offenders or suspects, etc. are presumed to be innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

Try a more powerful search in the box below ... SEARCH BOX PRODUCES RESULTS FOR The Cardinal -- ...
(POWERFUL SEARCH for The Cardinal, which can be expanded on the results page.)

Where background Wikipedia info/photos are used, original work is modified and released under CC-BY-SA.

::: Health, wellness and fitness gifts! ::: Cubs, Sox caps at :::

ARLINGTON HEIGHTS BREAKING NEWS --The Cardinal -- is a breaking news blog with Arlington Heights & Chicagoland emphasis. Early breaking reports may prove to be inaccurate after follow-up investigation, which may or may not be updated in The Cardinal -- For in-depth coverage, please also check the following links for network television, cable news networks and Chicago local media coverage ...

Daily Herald | Daily Herald -- Arlington Heights |
Today's headline videos: FOXNews Video | | Associated Press | The Cardinal
Video LOGO youtube Twitter Arlingtoncards facebook battery status Cardinal Calendar Search Batteries Plus RSS Help ...
All Headlines
crimeblog | fireblog

Comments for
COMMENTS are now available via one or more of our official Facebook pages. Comments no longer appear on the article per se. Please comment on or check the other popular Arlington Cardinal Facebook pages at ...

Anyone having information about serious crime in Arlington Heights should register on and look for the anonymous TIP411 feature, or call Arlington Heights Crime Stoppers at 847-590-STOP (847-590-7867). Callers are guaranteed anonymity and may qualify for a cash reward of up to $1,000. Not a resident of Arlington Heights? Check for availability for your community. | Traffic on Twitter


Weather radar map is provided by

RSS Cardinal Weather Center