Christoph Alme, a malware specialist at security firm Secure Computing, said, "There are more than five million Joomla pages out there."
The latest attack, discovered over the weekend by Secure Computing, used search engines to speed up their search for vulnerable web pages into which they can inject SQL statements that will steal passwords to bank, game and other accounts.
The criminals searched for asp.net pages that contained vulnerable order forms and sign-on details. Once they discovered an unprotected page, they used it to place SQL code on the underlying database that recorded personal details of visitors to the site. More than 14,000 web pages were infected in the weekend attack.
"There has been a big rise in SQL injection attacks this year," Alme said. He said the current attack, which infected at least 20 popular UK sites, was dangerous because it was aimed at sites that people were likely to visit regularly.
"Government sites are as vulnerable as commercial sites," he said. "The visitor may have visited the site last week without problems. This week he trusts the site, but is hit by a drive-by attack," Alme said.
He said the criminals also hid malware in downloads of popular software such as QuickTime and RealPlayer.