Google: SQL-injection attack not as large as first thought

 

Gallery

By Nicole Kobie

Posted on 4 Apr 2011 at 09:22

An SQL-injection attack is now returning 1.5 million results over Google, but experts have raised doubts over the scale problem is.

Last week, security firm Websense reported that hundreds of thousands of sites had been infected via an SQL-injection attack, which was dubbed "Lizamoon" after the name of the website it redirected users to, where it tries to trick them into installing fake antivirus.

Google Search results aren't always great indicators of how prevalent or widespread an attack is

Websense based its numbers on how many sites were infected by Googling for that web address, but some have said that method of counting isn't entirely accurate, and the attack isn't as big as first feared.

Instead of simply Googling for the URL, the search engine's principal engineer, Niels Provos, counted the sites with a functioning reference, leaving out those that had the code but didn't actually redirect users.

He found the Lizamoon attack actually peaked in October with 5,600 infected sites, but is currently "undergoing a revival". He compared it to the Gumblar attack of two years ago, which peaked at 62,000 infected sites.

Websense said the Google results method merely gave a sense of the scale of the attack.

"All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack," Websense said in an updated blog post. "Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time."

However, Websense admitted that the number of sites actually infected was "significantly smaller" than search results suggested, but didn't offer any numbers.