Online fraudsters have continued to expand their efforts this week to inject
iframe attacks into the optimized search results of major Web sites.
The attack abuses a common practice among Web sites -- caching search queries -- an activity designed to boost their rankings among major search engines, such as Google, according to security researcher Dancho Danchev. The attackers inject common search terms and an
iframe script designed to send victims to other sites hosting malicious code. The search term and
iframe redirect get cached in search engines such as Google.
Sites impacted by the attack, which is not a compromise to the site itself, include Wired.com, CNET properties, History.com, and the site of the North Carolina State University (NCSU) library system, Danchev stated.
Victims who click on the links in Google will be sent to sites hosting malicious code. Computers compromised by the resultant attack will end up infected by the Zlob Trojan horse and will have domain-name lookup requests rerouted to malicious servers, he stated.
"What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack by infecting the weakest link, the end user," Danchev said. "From the perspective of using rogue DNS servers, a much more effective but noisy approach."
Online criminals have increasingly favor compromising legitimate sites with malicious code or with snippets of HTML known as
iframe code designed to redirect visitors to malicious Web sites. Last month, Web security firm Finjan described a site that sold access to servers so that would-be attackers could upload
iframe attacks via the file transfer protocol (FTP). The Russian Business Network, a hosting provider for a significant portion of the underground activity on the Web, has often been accused of knowingly hosting malicious content on its servers.
Last week, the attacks aimed to poison searches for ZDNet Asia content and a major BitTorrent search site. Those sites -- and others, including CNET sites and Wired.com -- have begun filtering out scripts in their search queries, Danchev stated this week.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos