Lilupophilupop SQL cyberattack infects 1M URLs – or does it?

The "Lilupophilupop" SQL injection campaign has infected 1,070,000 URLs as of Jan. 1, according to the SANS Internet Storm Center.

This is up substantially from when the SQL attack was first noticed by SANS at the beginning of December -- the security firm only found 80 corrupted URLs. The cause of the quick spread is due to both computer and human input.

Related coverage:

Gov Web apps expose themselves to common attacks, study finds

"At the moment it looks like it is partially automated and partially manual," wrote Mark Hofman, a SANS Internet Storm Center handler, in a company blog post. "The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period."

According to SANS estimates, Netherlands websites (ending in the .NL domain) are the No. 1 victim, with 123,000 infected URLs, with France coming in second with 68,100 hijacked website addresses.

However, the more than 1 million sites estimated to be infected may be higher than the reality. According to Mary Landesmann, a ScanSafe security researcher (which is now part of Cisco), the number provided by SANS also may include websites discussing the Lilupophilupop attack, due to the fact that the company's data was compiled by performing Google searches.

"As a result, there is always a huge 'increase' [of keyword activity] after an initial public report is made," said Landesmann to Security Dark Reading. "In other words, counting the number of results from a search engine isn’t a good or viable means of measuring the breadth of a compromise."

The Lilupophilupop attack, named after the website infected URLs redirect to, is a basic SQL injection that could lead to an attacker gaining access to a user's database of Internet content, including passwords, credit card information and other personal data.

This newest SQL injection incident works in the same fashion as the 2011 LizaMoon attack, which was responsible for redirecting as many as 1.5 million URLs to a fake and malicious antivirus download.

As with all untrusted websites, always use caution and make sure your antivirus is up to date. Hofman also suggests the specific action of checking to see whether a site may have fallen victim to the Lilupophilupop injection attack: "If you want to find out if you have a problem just search for '<script src=' in Google and use the site: parameter to hone in on your domain.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected