An iframe injection is an injection of one or more iframe tags into a page’s content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor’s system.
iFrame injection attacks are not quite as common as they once were on the web, however from time to time they do still happen. We were recently alerted to an iFrame injection by one of our users and in hunting down the cause for the attack
The hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on.
Today however we found an interesting type of iframe injection: The uniqueness is not in the implementation of the iframe tag to embed content, but rather in the vector used to distributes the malware. You see, the attacker obfuscated the payload inside a PNG file.