{"id":8626,"date":"2011-04-04T21:38:46","date_gmt":"2011-04-05T04:38:46","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=8626"},"modified":"2025-06-02T18:51:12","modified_gmt":"2025-06-03T01:51:12","slug":"lizamoon-the-latest-sql-injection-attack","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/","title":{"rendered":"LizaMoon the Latest SQL-Injection Attack"},"content":{"rendered":"<p>Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the FUD&#8211;or scaring customers into making poorly educated security decisions.<\/p>\n<p>Which brings us to the recent <strong>LizaMoon<\/strong> attacks. There is an incredible amount of highly generic and vague information floating around. The fact of the matter is on-going SQL-injection attacks are a fact of life. They are not the only ones, either; every day there are mass spammings of new pieces of malware. Every week we see thousands of new &#8220;fake-alert&#8221; Trojans (a.k.a. rogue or bogus AV\/security products and scams). And fake-alert is just one of the <strong>millions<\/strong> of static malware examples that we deal with on a constant basis.<\/p>\n<p>So how should we respond? Do we toot our own horn and blast everyone with a gargantuan list of countermeasures for any and all threats? Do we wait and see how the industry reacts and then do what everyone else does?<\/p>\n<p>Without getting too philosophical, I\u2019ll cut to the chase.<\/p>\n<h2><strong>What\u2019s In a Name?<\/strong><\/h2>\n<p>The LizaMoon attack is named after one of the domains referenced in the script code that gets injected into compromised pages.<\/p>\n<p>Example: &lt;script src=http:\/\/lizamoon[dot] com \/ur[dot] php &gt;<\/p>\n<p>Lizamoon.com is not the only domain associated in this way. In the days since we started tracking this event, we have added many others. As of this writing we know of around 40 (give or take a few). If you are looking to block traffic to the <strong>malicious<\/strong> domains, this is where you want to focus your efforts. We have seen some recommendations to block <strong>all<\/strong> associated domains&#8211;even those that have been compromised (the valid sites that were victimized by the attack). This step may be overly paranoid. We do not necessarily need to block traffic to all these legitimate and well-meaning sites (by some estimates the count is up to 1.5 million) to protect against this and similar threats.<\/p>\n<h2><strong>Make Me Feel Secure !<\/strong><\/h2>\n<p>The injected scripts redirect clients to sites that are known to host fake\/rogue\/bogus security software. There are tens of thousands of write-ups on this fake-alert family on our Threat Intelligence site, and it\u2019s one of the most prevalent families of static malware that we deal with.<\/p>\n<p>The particular package associated with this attack is detected as follows:<\/p>\n<p>Name: FakeAlert-PJ.gen.c<br \/>\nDAT: 6304<br \/>\nRelease Date: April 2, 2011<br \/>\nInfo: http:\/\/vil.nai.com\/vil\/content\/v_348729.htm<\/p>\n<p>Malicious hosts associated with this attack (for example, lizamoon.com) are categorized as malicious by our Web Reputation Service (http:\/\/mcaf.ee\/92e06). Multiple McAfee products, at various layers of defense, use this intelligence to block traffic or filter out the bad stuff. McAfee Firewall Enterprise and McAfee Host Intrusion Prevention are just a few examples. More details on McAfee GTI Reputation and Categorization Services can be found here: http:\/\/mcaf.ee\/92e06<\/p>\n<p>The network side of the SQL-injection attack is detected through the McAfee Network Security Platform. The signatures that pick up this particular attack are approaching one year old (sig: <strong>HTTP: SQL Injection &#8211; evasion III<\/strong> in Releases 4.1.74, 5.1.44, and 6.1.11).<\/p>\n<h2><strong>Where\u2019s the Beef?<\/strong><\/h2>\n<p>This is a SQL-injection attack. Before any of us blow our IT budgets on database security goodies, we must all <strong>take the basic first steps.<\/strong> Simple and core techniques, such as constraining user input, validating user input, limiting types of input, encrypting sensitive data, and designing accounts with the principle of least privilege will go a long, long way.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[76,338,124,180,18],"coauthors":[4136],"class_list":["post-8626","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-cybercrime","tag-endpoint-protection","tag-global-threat-intelligence","tag-malware","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>LizaMoon the Latest SQL-Injection Attack | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LizaMoon the Latest SQL-Injection Attack | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2011-04-05T04:38:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T01:51:12+00:00\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"LizaMoon the Latest SQL-Injection Attack\",\"datePublished\":\"2011-04-05T04:38:46+00:00\",\"dateModified\":\"2025-06-03T01:51:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\"},\"wordCount\":607,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"cybercrime\",\"endpoint protection\",\"global threat intelligence\",\"malware\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\",\"name\":\"LizaMoon the Latest SQL-Injection Attack | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2011-04-05T04:38:46+00:00\",\"dateModified\":\"2025-06-03T01:51:12+00:00\",\"description\":\"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"LizaMoon the Latest SQL-Injection Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LizaMoon the Latest SQL-Injection Attack | McAfee Blog","description":"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"LizaMoon the Latest SQL-Injection Attack | McAfee Blog","og_description":"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2011-04-05T04:38:46+00:00","article_modified_time":"2025-06-03T01:51:12+00:00","author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"LizaMoon the Latest SQL-Injection Attack","datePublished":"2011-04-05T04:38:46+00:00","dateModified":"2025-06-03T01:51:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/"},"wordCount":607,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["cybercrime","endpoint protection","global threat intelligence","malware","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/","name":"LizaMoon the Latest SQL-Injection Attack | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2011-04-05T04:38:46+00:00","dateModified":"2025-06-03T01:51:12+00:00","description":"Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/lizamoon-the-latest-sql-injection-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"LizaMoon the Latest SQL-Injection Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/8626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=8626"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/8626\/revisions"}],"predecessor-version":[{"id":214919,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/8626\/revisions\/214919"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=8626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=8626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=8626"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=8626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}