Hundreds of thousands of URLs have been affected by a massive SQL-injection attack, according to security specialist Websense.
The number of affected domains has jumped to 380,000 - and counting - from a more lowly figure of 28,000 when the attack was first spotted earlier in the week.
Websense said in a blog post it was redirecting users to a fake antivirus site earlier in the week.
Several iTunes URLs have been compromised with the injected code, according to Websense though as Apple's system doesn't execute the code, users are presumed safe.
Indeed, the "bad guys" haven't yet done much with the attack, Websense noted.
"We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing... Different payload sites, have started to be involved in addition to the original Lizamoon.com," said Carl Leonard, threat research manager at Websense Security Labs.
"The payload sites remain inactive at present although they could be switched' on at any time," he added. "We can only speculate as to what the bad guys are waiting for."
UPDATE Websense has now reported more than 500,000 URLs have a script link to Liza Moon.
"The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon.com according to Google Search results," a blog from the firm read.
"We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought."
Additional reporting by Tom Brewster
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.