Lilupophilupop SQL cyberattack infects 1M URLs – or does it?

The "Lilupophilupop" SQL injection campaign has infected 1,070,000 URLs as of Jan. 1, according to the SANS Internet Storm Center.

This is up substantially from when the SQL attack was first noticed by SANS at the beginning of December -- the security firm only found 80 corrupted URLs. The cause of the quick spread is due to both computer and human input.

Related coverage:

Gov Web apps expose themselves to common attacks, study finds

"At the moment it looks like it is partially automated and partially manual," wrote Mark Hofman, a SANS Internet Storm Center handler, in a company blog post. "The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period."

According to SANS estimates, Netherlands websites (ending in the .NL domain) are the No. 1 victim, with 123,000 infected URLs, with France coming in second with 68,100 hijacked website addresses.

However, the more than 1 million sites estimated to be infected may be higher than the reality. According to Mary Landesmann, a ScanSafe security researcher (which is now part of Cisco), the number provided by SANS also may include websites discussing the Lilupophilupop attack, due to the fact that the company's data was compiled by performing Google searches.

"As a result, there is always a huge 'increase' [of keyword activity] after an initial public report is made," said Landesmann to Security Dark Reading. "In other words, counting the number of results from a search engine isn’t a good or viable means of measuring the breadth of a compromise."

The Lilupophilupop attack, named after the website infected URLs redirect to, is a basic SQL injection that could lead to an attacker gaining access to a user's database of Internet content, including passwords, credit card information and other personal data.

This newest SQL injection incident works in the same fashion as the 2011 LizaMoon attack, which was responsible for redirecting as many as 1.5 million URLs to a fake and malicious antivirus download.

As with all untrusted websites, always use caution and make sure your antivirus is up to date. Hofman also suggests the specific action of checking to see whether a site may have fallen victim to the Lilupophilupop injection attack: "If you want to find out if you have a problem just search for '<script src=' in Google and use the site: parameter to hone in on your domain.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected