IFrames Resurface as Popular Attack Vector for Hackers

Security experts warn of rise in "poisoning" of thousands of Web pages via iFrame exploit.

There was a time when end users and IT shops could avoid remote code execution exploits by simply patching vulnerable applications, staying away from questionable URLs and not opening suspicious e-mail attachments.

But security experts warn that this period may be coming to an end, particularly in light of recent widespread attacks against several hundred thousand Web pages and what one researcher, Dancho Danchev, called the "poisoning" of more than a million search queries with loadable inline frames, or what's commonly known as iframes.

"What we're seeing is an old idea -- hacking for profit -- with a relatively recent distribution point, the iframe," said Don Leatham, senior director of solutions at Scottsdale, Ariz.-based Lumension Security. "The hackers are able to set the expectation that you're on a trusted site that is recommending you download a particular software or directing you to bogus address, anything to reel you in and then use the old Trojan uploads like .Zlob."

The recent attacks, which began in the beginning of March and continued through last week, affected some of the Web's most frequented destinations, including, ABC News' homepage, and others.

Hackers have done this sort of thing in the past through phishing or "masquerade ball" attacks using, for example, URLs that are off by one letter or Web pages that pose as legitimate sites linking to eBay or PayPal. But observers say this new approach is different and more effective because the user is tricked into thinking they've never left their trusted Web address.

This is because iframes are hypertext mark-up language (html) elements that enable hackers to embed specially crafted and malicious Web-language-based files inside a seemingly benign Web interface. The iframes are supposed to be used to subdivide content of a given Web site. One of the more common uses of iframes is creating an advertisement or sidebar URL that might pop up on a homepage without one having to leave that homepage.

Security practitioners say such attacks are especially effective in browsers such as Internet Explorer.

"This is concerning because this could impact a user if they visit what they believe to be a legitimate Web site or search engine," said Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies. "Users have thus far been conditioned to be careful when visiting potentially questionable Web sites. Now that legitimate Web sites are being impacted, you can no longer mitigate the risk by saying 'be careful where you surf.'"

Both Schultze and Lumension's Leatham said they would encourage enterprise security specialists to lock down the network at the firewall level, confining workstations only to sites that are pertinent to business in the event all else fails.

Meanwhile, for managers of computer processing environments who wish to take a less stringent approach, keeping up with the latest anti-virus and anti-malware signatures as well as patches, such as those form Microsoft, is also a good approach.

"It's a good bet that we'll see a lot more of this style attack in the future," said Schultze.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Exchange Server June Cumulative Updates Arrive, But with Red Tape

    Microsoft released its quarterly cumulative updates (CUs) for Exchange Server 2013, 2016 and 2019 products this week, but added an extra step for IT pros to consider before installing them.

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • AI-Driven Solution Tracks Packets Through the Datacenter

    Datacenter solutions vendor Kaloom this week unveiled a new offering the company says will enable the development of "self-driving" datacenter networks.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.