A relatively simple hack has been used to compromise at least 500,000 Web sites and perhaps as many as 1.5 million in a way that tricks the web site visitors into downloading fake PC security software.

Dubbed LizaMoon after the Web site where some users are redirected, the attack was first documented by the security research firm Websense. The hack tries to trick web users into believing that their computer has been infected by viruses and spyware and prompts them to download fake security software that itself causes problems.

SQL injection attacks take place when malicious code, basically commands to a web server to do things it’s not supposed to do, is inserted into routine queries of a web site’s database. A basic way to carry out these attacks is to add extra commands into the URL bar of a browser when visiting a vulnerable web site. At this time it’s not entirely clear exactly how this series of attacks has been carried out.

Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesn’t appear to be affected.

If you see a pop-up that tells you your computer has a virus or that your computer is compromised by a bunch of security issues, don’t click any of the links in it since it’s probably someone trying to infect your computer.

Websense produced a video demonstrating what happens.