When first discovered, the lilupophilupop.com SQL injection attacks had only infected 80 pages, but as of Dec. 31, the number totaled 1,070,000, according to Mark Hoffman, a researcher with the center.
Hoffman gave a sample of the number of infected pages per domain: UK – 56,300; NL – 123,000; DE – 49,700; FR – 68,100; DK – 31,000; CN – 505; CA – 16,600; COM – 30,500; RU – 32,000; JP – 23,200; and ORG – 2,690.
In his initial analysis of the attacks, Hoffman wrote that the “sources of the attack vary; it is automated and spreading fairly rapidly….The trail of the files ends up on ‘adobeflash page’ or fake AV [anti-virus software]. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected.”
The goal of the SQL injection attacks appears to be to drive victims to sites selling fake anti-virus software, according to Dennis Fisher of Kaspersky Lab. “That's where the monetization portion of the scheme comes in, with the attackers trying to lure victims into paying a license fee for a fake AV program they not only don't need but that will likely cause other problems on their machines, as well”, he wrote in a blog.