Online attackers have found a way to inject IFRAME redirects into the search results of major sites, including tech news site ZDNet Asia and bittorrent tracker TorrentReactor, researchers discovered on Tuesday.
By abusing the way that the sites cache search queries to optimize their rankings in other search engines -- most notably, Google -- fraudsters have been able to inject
iframe redirects into the cached results. The redirects send unwary users to servers affiliated with the Russian Business Network that attempts to install a fake antivirus product, known as XP Antivirus, according to Dancho Danchev, an independent security researcher based in the Netherlands.
The attack, which Danchev stressed was not a compromise of ZDNet Asia or TorrentReactor, also tries to weed out potential security researchers that might be trying to investigate the malicious code, the Bulgarian (corrected) researcher said in a blog post on Tuesday.
"The malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers," he wrote. "And if you're not coming from (where) you're supposed to come, you get a 404 error message -- deceptive to the very end of it."
Online criminals have increasingly favored compromising legitimate sites with malicious code or with snippets of HTML known as
iframe code designed to redirect visitors to malicious Web sites. Last month, Web security firm Finjan described a site that sold access to servers so that would-be attackers could upload
iframe attacks via the file transfer protocol (FTP). The Russian Business Network, a hosting provider for a significant portion of the underground activity on the Web, has often been accused of knowingly hosting malicious content on its servers.
Antivirus firm F-Secure also investigated the
iframe scheme, finding that more than 20,000 Google results on ZDNet Asia had the malicious redirect injected to them.
CORRECTION: The original article indicated the wrong nationality for Dancho Danchev. He is Bulgarian.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos