IFrame Injections

An iframe injection is an injection of one or more iframe tags into a page’s content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor’s system.

Site compromised or hacked

iFrame injection attacks are not quite as common as they once were on the web, however from time to time they do still happen. We were recently alerted to an iFrame injection by one of our users and in hunting down the cause for the attack
The hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on.

Today however we found an interesting type of iframe injection: The uniqueness is not in the implementation of the iframe tag to embed content, but rather in the vector used to distributes the malware. You see, the attacker obfuscated the payload inside a PNG file.
This is unique because in the level of effort being taken to obfuscate the payload. Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail. This also talks to the benefit, at least for attackers, it’s exceptionally difficult to detect.

Subscribe to our Security Mailing List