Hackers launch massive IFrame attack
Search-cache subversion infects 400,000 pages, traced to RBN
Computerworld - Hackers using a new scam continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites, researchers said today.
The attacks, which began about a week ago, show no signs of slowing, said Dancho Danchev in a posting to his blog yesterday. "The group is continuing to expand the campaign," said the Bulgarian researcher. "These are the high-profile sites targeted by the same group within the past 48 hours, with the number of locally cached and IFrame-injected pages within their search engines."
Danchev listed more than 20 sites that together account for more than 401,000 IFrame-injected pages. The sites include high-profile sites such as the North Carolina State University library, the U.S. Administration on Aging and the U.S. government's Medicare program, as well as questionable sites such as BitTorrent sites hosting pirated software and other content.
The attacks "just keep growing," said Ben Greenbaum, a senior research manager at Symantec Corp.'s security response team. Greenbaum explained the attacks, which are not strictly site compromises, use the search-result caches that these sites maintain.
Likely relying on an automated tool to do the dirty work, the hackers add IFrame code to the saved search results on the sites, Greenbaum said. The next visitor that uses the search tool is then redirected to another Web site by the IFrame code. The second site in turn puts up a message telling the user that a new codec (coder/decoder) needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware -- a new variant of the Zlob Trojan horse -- and installs it on the victim's PC.
"There are multiple levels of redirection going on here," said Greenbaum.
In his posting Wednesday, Danchev said he had identified more than 100 bogus .info domains that were acting as the second-stage redirectors.
Trace it back far enough, and the path leads to the Russian Business Network (RBN) -- a notorious organization that hosts criminals' Web sites and provides them with domains from which they can launch their attacks. "What this means is that known Russian Business Network net blocks are receiving all the rerouted DNS queries from infected hosts, thereby setting up the foundations for a large-scale pharming attack," said Danchev.
"This tactic of poisoning recent search results in legitimate sites is new as of the last week or so," said Greenbaum. "But there are lots of things we can do to prevent this."
If users reject the bogus call to install the codec, the string is broken, and no harm can come to them. Web site operators, on the other hand, can take a number of steps, including properly sanitizing all user input or not caching previous searches.
But Danchev was more pessimistic that the attacks could be halted quickly. "To sum up -- it's a mess," he said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts