madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

90,000+ pages compromised in mass iFrame injection attack

By | July 28, 2011, 7:08am PDT

Summary: Security researchers from Armorize have intercepted a currently live mass iFrame injection attack, affecting over 90,000 Web pages.

Security researchers from Armorize have intercepted a currently live mass iFrame injection attack, affecting over 90,000 Web pages.

Once the users visits an affected page, a number of javascript redirectors lead the user to a client-side exploits serving page.

How did the attack take place? Malicious attackers are either abusing input validation flaws within the vulnerable sites, or have been harvesting botnets for stolen FTP credentials in order to embed the pages with the malicious iFrame.

Go through related posts:

The iFrame domain willysy(dot)com is currently flagged as malicious.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attack, Injection Attack, Security, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 6 Talkback(s)

  • RE: 90,000 pages compromised in mass iFrame injection attack
    For all those people who say browser vulnerabilities are no big deal, this iFrame can be used to steal information or host malware. This is a great example of why it is in fact a big deal if a website can exploit your browser. 90,000 sites on the web are hosting this site which is malicious...

    Pwn2Own accepts browser exploits because they know that the web is a prolific attack vector and widespread XSS, SQL injection, and PHP worms can lead to high rates of hosted malware and thus high infection rates through browser based exploits.

    This is a huge deal and I wish it the analysis in this article pointed out what the stakes are for XSS attacks and received more coverage. 90,000 sites + 1 IE, Safari, or Firefox exploit means potentially millions infected.
    ZDNet Gravatar
    snoop0x7b
    28th Jul
  • RE: 90,000 pages compromised in mass iFrame injection attack
    @snoop0x7b - I agree that it sounds like a pretty bad situation. However, there is a difference between 90,000 *pages* and 90,000 *sites*. (e.g, one of the web sites I help to administer has over 20,000 pages)
    ZDNet Gravatar
    jeremylounds
    29th Jul
  • RE: 90,000 pages compromised in mass iFrame injection attack
    Web browser default settings are key. All major web browsers allow iFrames by default. This leaves it up to the user to either disable iFrames or allow iFrames only for whitelisted URLs. And, while whitelisting URLs minimizes one's exposure to iFrame exploits, legitimate web sites do get hacked.

    Ditto for JavaScript.

    And the last I checked, Google's Chrome browser did not provide a means for users to either disable or whitelist iFrames. Still true?
    ZDNet Gravatar
    Rabid Howler Monkey
    28th Jul
  • RE: 90,000 pages compromised in mass iFrame injection attack
    @Rabid Howler Monkey Hmmm..? https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn
    ZDNet Gravatar
    Eeem
    29th Jul
  • RE: 90,000 pages compromised in mass iFrame injection attack
    @Eeem Thanks for the link to Chrome's NotScripts extension. It was last updated on December 5, 2010. And the developer recommends that one "have Google Chrome's cookies/local storage setting set to it's default value" for performance reasons.

    I'll stick to Firefox with the NoScript add-on as it gets much more attention from it's developer. Also, it doesn't have any dependencies on cookie settings and I like to block 3rd party cookies (not the default). Opera's iFrame setting is built into the browser and does not have dependencies on cookie settings either.
    ZDNet Gravatar
    Rabid Howler Monkey
    29th Jul
  • RE: 90,000 pages compromised in mass iFrame injection attack
    m2 pvp serverlar tan??t??m?? pvp serverler mt2 private servers metin2 pvp serverler metin2 games metin2 pvp serverlar
    mt2 pvp servers pvp metin2 online games mt2 pvp m2 games servers metin2
    private servers mt2 private server m2 private online game metin 2
    g??zel s??zler roms guzel sozler
    face 100 ifadeleri yemek tarifleri yemek tarifleri face guncel news face t He Facebook land facebook
    games hiller metin2 hile games dowland metin2 indir

    chat
    mynet
    sex
    sex hikayeleri
    ZDNet Gravatar
    sirnem
    20th Sep

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources