Security Blog

LizaMoon Pay-Up Scareware Spreads To 500,000 Sites

According to the Websense Security,Websense Security Labs has updated its alert concerning a malicious mass-injection scareware campaign it has dubbed LizaMoon. it is an SQL injection that attack adds a line of JavaScript code to web pages that redirects users to a bogus web page that rotates on a periodic basis. It is Based on Google search results. more than 500,000 URLs had a script link to, which has since been changed.

Though search results aren’t always great indicators of the scope of an attack,Google search lists each unique URL rather than each domain or site, they do provide some indication of the scope of the problem when the numbers go up or down, Websense observed.

“We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought,” Websense security analysts wrote in a blog Thursday. “All in all, a Google search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack.”


Bogus Malware Reports

visitor who visits a web page with the injected code is redirected to a bogus Internet site. “Just like most other scareware and rogue AV sites, it shows a pop-up warning saying that your security is at risk and that you have malware and other security issues,” said a Websense spokesperson. “And when you click OK, it displays a scanning tool that looks like its going through the hard drive and finding all sorts of malware, but it’s all fake, of course.”

when who click “remove all” to fix their fake problems end up downloading an executable rogue AV to their machines. Then when the unsuspecting user starts the rogue tool, it kills whatever program is currently running.

Nothing else happens until the user tries to start the legitimate program again, at which point the scareware displays a fake Trojan alert. If the user then clicks “remove,” the rogue AV escalates to the next stage by prompting the user to install the full-blown scareware app.

It displays the bogus name Windows Stability Center, warns that there are lots of problems on the user’s PC. “To fix them you have to pay for the full version of the app,” Websense explained.

Antivirus Engines Still Vulnerable

Though the LizaMoon threat is global, Websense reported nearly half the traffic to the scareware’s bogus web sites is coming from U.S. Internet users. Other nations where a considerable number of PC users are falling prey to LizaMoon include Canada (9.23 percent), Italy (8.89 percent), Brazil (7.92 percent) and the United Kingdom (7.92 percent).

The problem is that only 17 out of 43 of the currently available antivirus engines,from Kaspersky, Microsoft, Sophos, Symantec, Trendmicro, VIPRE and others,were able to detect the LizaMoon rogue AV as of Friday afternoon, according to web-security firm VirusTotal.

Websense said it’s still analyzing the scareware to see how it infects web pages. However, the security firm’s researchers suspect that the attack has gained such widespread traction because it has been able to exploit “vulnerabilities in the web systems used by these sites, such as outdated CMS and blog systems.”

Show More


Matthew is a technology blogger for

Leave a Reply

Your email address will not be published. Required fields are marked *


Adblock Detected

Please consider supporting us by disabling your ad blocker