Here are some more similarities to the LizaMoon attacks:

• Infected sites are ASP.NET sites with SQL Server backends.
• A script link is injected into columns that build the page html.
• The injected link will call yet more Script code from a third party site.
• The third party code is obfuscated malicious JavaScript code.
• This code redirects yet to another site with a fake Antivirus scam. It is also exploiting known vulnerabilities in JavaScript and Flash.

Technical Details:

The injected script code looks as follows:



At the referenced location, obfuscated JavaScript code is hosted in form of char codes (letters represented as numbers) that get decoded on the fly into working and malicious JavaScript. The obfuscation of the code makes it harder for firewalls and AV software to detect the attack. This code leaves a cookie on the browser and then navigates to a malicious URL at strongdefenseiz.in.

Databases at risk

The reason this attack is so successful is because it automatically finds vulnerable ASP.NET websites with SQL Server backend databases that can be exploited with a simple SQL Injection attack. Some of these sites might have been scoped out in LizaMoon and previous attacks.

Data stored in the database can be compromised not only by the people behind “James Northone” but also by any copycat attackers that run a simple Google query to find the vulnerable websites. Once compromised, the attackers can potentially access any data on the database backing the website, especially if there is no proper separation of duties. For example, on a shopping website, customer data such as email addresses and credit card numbers might be at risk.


How can I ensure that my organization is protected?

There is no easy workaround for the database component of this threat besides fixing the SQLi vulnerabilities on the site and employing the best practices mentioned below. However, employing a database activity monitoring solution will help to address this issue.

This and most other SQL Injection attacks are a case study in poor coding and database configuration practices. When web applications are written correctly and their backend databases are managed against vulnerabilities, SQL injections are proactively prevented. I recommend that organizations take the following steps to protect their site visitors, web applications and database assets:

1. First and foremost, web applications should be reviewed to insure proper input validation on web forms and URL parameters. Database queries to the backend database, especially SELECT, INSERT and UPDATE queries should never be created by simply concatenating a SQL query string with input from web form fields. The input should be sanitized and then parameterized queries should be used to interact with the database.

Note: ASP.NET does this by default. A web developer actually has to bypass some of the features, or disable some default security configurations to make a site vulnerable.