Researcher: Beware of massive IFrame attack
Security researcher Dancho Danchev has raised the red flag in his blog about a new scam the bad guys are using to corrupt hundreds of thousands of websites with IFrame redirects. Visit one of these corrupt pages and you just might find yourself caught on another site rigged with malicious code.
The infamous hacking group known as the Russian Business Network (RBN) appears to have a hand in this, he says.
“The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object.”
Danchev says these are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame injected pages within their search engines :
NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages
More than 400,000 pages appear to have been compromised.
“To sum up — it’s a mess that I’ll continue trying to structure, and it’s a single group exploiting input validation capability within the sites’ search engines we’re talking about,” Danchev said. “With this segmented targeting of sites with high page ranks, and their persistence, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.”
Posted: March 14th, 2008 under Network Security, Application Security, Information Security Threats, Security Management, Platform Security.
[…] Read the rest of this great post here […]
Pingback by Hacking » Blog Archive » Researcher: Beware of massive IFrame attack — March 14, 2008 @ 8:32 am
This is just another strong reason to disable ActiveX and control the browser security settings. Activex is a nice feature but risky at the same time. Also, network administrators must give attention to security news/blogs to keep up with latest threats. Slow response will be too late to save your machines. My advice, disable ActiveX, Patach …patch and patch, use Firefox 3 coz it’s more secure than before. Noscript is a saver.
http://extremesecurity.blogspot.com
Comment by Aa'ed Alqarta — March 18, 2008 @ 9:57 am
[…] It’s been a couple of weeks since security researcher Dancho Danchev raised the red flag about IFrame redirects attackers have been using to corrupt hundreds of thousands of Web sites, and how the likely culprit is the infamous hacking group known as the Russian Business Network (RBN). […]
Pingback by Researcher: IFrame redirect attacks escalate — Security Bytes — March 28, 2008 @ 9:26 am