The lizamoon scareware attack got a lot of attention because it supposedly infected a 1.5 million web pages, but some experts are now saying the effect was likely orders of magnitude smaller.
Lizamoon was an attempt to get users to provide credit card information. It did so by inserting a piece of code into a web site that causes a browser to a site that simulates a virus scan and then prompts a user to download antivirus software, giving up their credit card information in the process.
Websense initially reported lizamoon's existence March 29. that it found 1.5 million sites infected. That finding was the result of a Google search, which showed the URLs with the same address - lizamoon.com - from which the fake antivirus programs originated.
The news spread quickly and the 1.5 million web sites infected was widely cited. But a security expert at Cisco says that the number of sites infected was actually much smaller.
Mary Landesman, a senior security researcher at Cisco, wrote in the company's security blog that this particular attack has been around for the last several months. She wrote that Cisco only found about 1,154 unique compromised web sites.
The reason for the discrepancy, she says, is that a Google search, which websense did, would return individual pages, not unique sites. That could easily increase the number of sites that show up as infected by a large amount. Websense's search also might have returned sites where people were simply discussing the lizamoon phenomenon. The fact that it was a big news story would have increased the number of false positives, making it look like a massive attack was underway.
Landesman said that using Cisco ScanSafe data, found that the compromises to security were on sites with relatively little traffic. Another issue is how often getting to the site results in the delivery of live content, i.e. the malware. As it turns out, she said, only a small percentage of sites actually delivered the payload.
Websense stands by its estimates, and to be fair the company said on its own blog that the number of sites infected was probably much lower than the number reported by many media outlets. Websense also noted on the blog that there were some 200,000 requests for the lizamoon.com domain from its customers, which means that even if only a small number of sites were infected, the malware site got enough traffic to be significant.