Thousands of Web Sites Hit With New Twist on Old SQL Injection Hack Thousands of Web Sites Hit With New Twist on Old SQL Injection Hack | Arik Hesseldahl | NewEnterprise | AllThingsD A relatively simple hack has been used to compromise at least 500,000 Web sites, and perhaps as many as 1.5 million, in such a way that visitors are tricked into downloading fake PC security software. Dubbed Lizamoon, after the Web site where some users are in some cases redirected, the attack was first documented by the security research firm Websense The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems. Among the sites serving up the links to the fake software sites are some belonging to Apple and used on its iTunes store, though Apple is said to have cleaned up the affected code on its site. Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesn’t appear to be affected. No word yet from Microsoft about any of this, though I’ve asked them for a comment. SQL injection attacks take place when malicious code–essentially commands to a Web server to do things it’s not supposed to do — are inserted into routine queries of a Web site’s data base. A basic way to carry out these attacks is to add extra commands into the URL bar of a the browser when visiting a vulnerable Web site. It’s not entirely clear exactly how this series of attacks has been carried out.