Recent media reports have focused on a mass SQL injection attack involving a malware domain named lizamoon.com. While the lizamoon.com domain is new, this particular series of SQL injection compromises is actually several months old. Cisco ScanSafe logs record the first instance on 20-sep-10 21:58:08 GMT. Since then, various malware domains have been used for a total of 42 domains signifying 42 separate occurrences of these compromises since September 2010. Lizamoon.com was the 41st of these.
Cisco ScanSafe data reveals that from Sept 2010 to Feb 2011, all the compromises were on smaller, low traffic sites. Any encounters likely resulted from Web searches for very niche topic areas. As a result, the number of encounters with these compromised websites remained very low. Most importantly, this attacker is employing severe throttling such that only 0.15% of encounters even result in live content delivery. The remaining 99.85% of encounters are non-resolvable at the time of encounter. The result is a negligible rate of actual encounter with live content.