Lizamoon mass injection attack hits Apple iTunes

While you've been browsing around the web, you may have noticed that a few web URLs have been exhibiting a similar name in the address, Liza Moon. That's because of a new malicious mass injection campaign that has been targeting thousands of sites with insecure code.

Lizamoon is an SQL mass injection attack that inserts a line of code into the URL ( ), and was discovered and identified by the Websense Security Labs and the Websense Threatseeker Network. They're not sure what the effects of the attack are, because the site it points to is down at present, but have reported that over 28,000 sites have been hit, including many iTunes RSS/XML feeds for podcasts and lists of episodes:

"While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in," said WebSense. "That site is also unavailable right now, so we don't have the actual binary analysis information available yet."

The domain lizamoon.com was registered several days ago with "clearly fake information".

The Inquirer reminds us that it was an SQL mass injection attack, undertaken by hacker Albert Gonzales (currently serving 20 years at Her Majesty's pleasure), that broke into the files of UK retailer TK Maxx and stole over 130,000 credit card numbers - some of which are still being cloned to this very day.

Thankfully, iTunes users shouldn't worry though as the code will not directly affect them: "The good thing is that Itunes encodes the script tags, which means that the script doesn't execute on the user's computer," WebSense states.

Thanks Tom.