News Stay informed about the latest enterprise technology news and product updates.

Researcher: Beware of massive IFrame attack

Security researcher Dancho Danchev has raised the red flag in his blog about a new scam the bad guys are using to corrupt hundreds of thousands of websites with IFrame redirects. Visit one of these corrupt pages and you just might find yourself caught on another site rigged with malicious code.

The infamous hacking group known as the Russian Business Network (RBN) appears to have a hand in this, he says.

“The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object.”

Danchev says these are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame injected pages within their search engines :

NCSU Libraries – lib.ncsu.edu – 372,000 pages
FullDownloads.us – fulldownloads.us – 13,000 pages
Central Statistics Office Ireland – cso.ie – 10,300 pages
DBLife Frontpage – dblife.cs.wisc.edu – 1,130 pages
School of Mathematics and Statistics – www-history.mcs.st-andrews.ac.uk – 1040 pages
eHawaii Portal – ehawaii.gov – 992 pages
The World Clock – timeanddate.com – 944 pages
Boise State University – boisestate.edu – 471 pages
The U.S. Administration on Aging (AoA) – aoa.gov – 425 pages
Gustavus Adolphus College – gustavus.edu – 312 pages
Internet Archive – archive.org – 261 pages
Stanford Business School Alumni Association – gsbapps.stanford.edu – 157 pages
BushTorrent – bushtorrent.com – 147 pages
ChildCareExchange – ccie.com – 131 pages
The University of Vermont – uvm.edu – 120 pages
Hippodrome State Theatre – Gainesville, FL – thehipp.org – 112 pages
Minnesota State University Mankato – mnsu.edu – 94 pages
The California Majority Report – camajorityreport.com – 16 pages
Medicare.gov – medicare.gov – 12 pages
USAMRIID – usamriid.army.mil – 3 pages

More than 400,000 pages appear to have been compromised.

“To sum up — it’s a mess that I’ll continue trying to structure, and it’s a single group exploiting input validation capability within the sites’ search engines we’re talking about,” Danchev said. “With this segmented targeting of sites with high page ranks, and their persistence, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.”

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close