90,000+ pages compromised in mass iFrame injection attack

90,000+ pages compromised in mass iFrame injection attack

Summary: Security researchers from Armorize have intercepted a currently live mass iFrame injection attack, affecting over 90,000 Web pages.

SHARE:
TOPICS: Security
5

Security researchers from Armorize have intercepted a currently live mass iFrame injection attack, affecting over 90,000 Web pages.

Once the users visits an affected page, a number of javascript redirectors lead the user to a client-side exploits serving page.

How did the attack take place? Malicious attackers are either abusing input validation flaws within the vulnerable sites, or have been harvesting botnets for stolen FTP credentials in order to embed the pages with the malicious iFrame.

Go through related posts:

The iFrame domain willysy(dot)com is currently flagged as malicious.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • RE: 90,000 pages compromised in mass iFrame injection attack

    For all those people who say browser vulnerabilities are no big deal, this iFrame can be used to steal information or host malware. This is a great example of why it is in fact a big deal if a website can exploit your browser. 90,000 sites on the web are hosting this site which is malicious...

    Pwn2Own accepts browser exploits because they know that the web is a prolific attack vector and widespread XSS, SQL injection, and PHP worms can lead to high rates of hosted malware and thus high infection rates through browser based exploits.

    This is a huge deal and I wish it the analysis in this article pointed out what the stakes are for XSS attacks and received more coverage. 90,000 sites + 1 IE, Safari, or Firefox exploit means potentially millions infected.
    snoop0x7b
    • RE: 90,000 pages compromised in mass iFrame injection attack

      @snoop0x7b - I agree that it sounds like a pretty bad situation. However, there is a difference between 90,000 *pages* and 90,000 *sites*. (e.g, one of the web sites I help to administer has over 20,000 pages)
      jeremylounds
  • RE: 90,000 pages compromised in mass iFrame injection attack

    Web browser default settings are key. All major web browsers allow iFrames by default. This leaves it up to the user to either disable iFrames or allow iFrames only for whitelisted URLs. And, while whitelisting URLs minimizes one's exposure to iFrame exploits, legitimate web sites do get hacked.

    Ditto for JavaScript.

    And the last I checked, Google's Chrome browser did not provide a means for users to either disable or whitelist iFrames. Still true?
    Rabid Howler Monkey
    • RE: 90,000 pages compromised in mass iFrame injection attack

      @Rabid Howler Monkey Hmmm..? https://chrome.google.com/webstore/detail/odjhifogjcknibkahlpidmdajjpkkcfn
      Eeem
      • RE: 90,000 pages compromised in mass iFrame injection attack

        @Eeem Thanks for the link to Chrome's NotScripts extension. It was last updated on December 5, 2010. And the developer recommends that one "have Google Chrome's cookies/local storage setting set to it's default value" for performance reasons.

        I'll stick to Firefox with the NoScript add-on as it gets much more attention from it's developer. Also, it doesn't have any dependencies on cookie settings and I like to block 3rd party cookies (not the default). Opera's iFrame setting is built into the browser and does not have dependencies on cookie settings either.
        Rabid Howler Monkey