CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 28th, 2008

Massive IFRAME Search Results Attack

A massive IFRAME injection attack, which stared last week, is slowly turning into a large scale web application vulnerabilities audit of high profile sites. Last week Symantec has rated the attack as medium risk, StopBadware and US-CERT issued a warning about the incident. After another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site’s web application security practices.

The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. High profile websites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants. Some of the websites attacked:

USAToday.com, ABCNews.com, News.com, Sears.com, Circuitcity.com, Target.com, Packard Bell.com, Walmart.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu

The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Google is actively filtering the results and removing the cached pages on number of domains. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we’re definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections.
 
news com infected search screenshot

Share this item with others:

More on CyberInsecure:
  • Site Evaluation Results
  • Office.Microsoft.Com Search Results Can Lead To Rogue Anti-Virus
  • Torrentreactor.net Website Compromised, Serves Exploits Through IFRAME
  • Easter Related Search Engine Results Poisoned, Redirect Users To Malicious Applications
  • CBS.com Subdomain Compromised, Installing Malware On Visitors PC’s

    • Posted in Google, Mass Web Attacks | Print This Post Print This Post

    This entry was posted on Friday, March 28th, 2008 at 5:17 pm and is filed under Google, Mass Web Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Massive IFRAME Search Results Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »