A million people have been infected in less than a week after a malware campaign targeted visitors to outdated websites.
The attacks involve an SQL injection where malicious code is woven into websites – mostly those running Microsoft ASP.NET, with patching or configuration vulnerabilities.
Vulnerable sites are typically those owned by universities, schools, associations and small businesses.
The code redirects visitors to websites where they are infected with varying malicious payloads. Those malicious websites are registered under the bogus name 'James Northone', which is the same fake identity used in the LizaMoon attacks in April.
LizaMoon attacks similarly infected some 1.5 million vulnerable websites with malicious code that redirected visitors to black-hat sites, which then distributed malicious payloads.
Armorize chief executive officer Wayne Huang said that as of last week, six out of 43 prominent anti-virus vendors had detected the attacks, according to tests run against VirusBulletin.
Security vendor Sucuri pointed users to http://sitecheck.sucuri.net to check for vulnerable SQL bugs.