People surf to a number of web pages throughout the day - online shopping, banking, social networking, search engines, etc. But do they know when something bad is happening behind the web page visible in their browser? A large number of legitimate web sites have been victim of attacks, where the payload modifies the pages on the website to include hidden Iframes to malicious content. This content is processed by the browser, transparent to the user, and can compromise the user’s system if they are running vulnerable client applications (for example, the browser itself, browser plug-ins, Adobe Acrobat reader, and Flash player).
Malicious Iframe attacks are not new but remain heavily used to carry out different attacks. HTML Iframe tags are used to embed content into the web page from a particular source, including sources external from the actual web site. Attackers are using zero pixel Iframes embed malicious content while to keeping content hidden from the user. People are often become victims from such attacks as it is easy to inject such malicious Iframes into a legitimate webpage by taking advantage of web application vulnerabilities like SQL injection.
Let’s walk through live example where a malicious Iframe has been injected in the webpage. Here is the screenshot of one of the website injected by Iframe,
Attackers are using simple to complex obfuscation techniques to encode their malicious script. Due to this, many Antivirus engines are unable to detect new injected Iframes. Here are the Virustotal results for the first example showing very low detection. Here is the third example of injected obfuscated script:
There are some important points to be considered here.
- In the past, it was common for attackers to inject their malicious Iframes at the bottom / end of the webpage. Attackers are now injecting malicious Iframes anywhere in the webpage.
- Many websites which were found to be infected in past months by malicious hidden Iframes appear to still be infected with them. Meaning most web site owners or hosting providers are not policing the content that they are serving on the web.
Start acting now. Be Safe while surfing!