Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Injecting Malicious HTML IFrames – Still A Popular Attack Vector

March 01, 2011 - 2 min read
Injecting malicious HTML IFrames into the legitimate web pages has become a commonplace technique in web based attacks. We recently came across another website that is infected with a malicious IFrame. Further research shows that the same malicious IFrame used in this website was also used to infect a number of other legitimate websites. Here is the main page of the infected site:





The page itself provides no visible indication of infection, but if you look at the source of the webpage, you will notice a malicious IFrame injected under the Latest News section. Here is the source of page,





The malicious IFrame points to “hxxp:// nutcountry.ru:8080/index.php?pid=13” which is currently down. By taking the advantage of known/unknown vulnerabilities, attackers have injected malicious IFrames into many legitimate web pages. In this particular case, not only the home page is infected, but all the other pages on the site are infected. This likely indicates that the attacker used a SQL injection vulnerability to inject the malicious IFrame into the backend database from which webpages are dynamically generated. A quick search on Google reveals a significant number of websites infected with with the same IFrame. Here is screenshot of the search results:





Another search reveals that Google has begun to proactively warn users about some of the pages associated with this attack.





You will note that the search results include ~85k sites which suggests that this particular attack was very broad in scope. This attack also appears to have leveraged persistent XSS (Cross Site Scripting) vulnerabilities to inject malicious IFrames into the comment sections of various web forums. Here is a screenshot of one such website:





Here is a list of malicious IFrames associated with this attack that you should block:


hxxp:// nutcountry.ru:8080/index.php?pid=13


hxxp:// parkperson.ru:8080/index.php?pid=13


hxxp:// blockoctopus.ru:8080/index.php?pid=13


hxxp:// nemohuildiin.ru/tds/go.php?sid=1








Attackers are continuing to take advantage of the poor security in web applications by writing utilities that are capable of infecting large numbers of sites in short period of time due, which in turn translates to thousands of victims with minimal effort.



form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.