iFrame used to spread Malware on prominent Legal and Music sites including Clintons and the Nationwide Mercury Prize
ScanSafe, the largest global provider of Web Security-as-a-Service, warned today of a hacking attack leveraging iFrames to spread 'drive-by' malware via well known and trusted websites. Up to 3,500 sites hosted by DreamHost are potentially at risk from the attack.
Threat Center has so far warned of two high profile U.K. sites that were compromised to spread malware.The two sites are:
- www.clintons.co.uk, a well known law firm that has represented musicians including Paul McCartney, The Who, Jimi Hendrix and U2; and,
- www.nationwidemercurys.com the prestigious Mercury music awards site sponsored by the Nationwide, whose previous winners have included Coldplay and the Arctic Monkeys.
The ScanSafe Threat Center first detected malware on the Clintons site on June 1 and on the Mercury site on June 4 and has contacted both organisations to notify them of the threat.
14 percent of ScanSafe's worldwide customer base were protected from the drive-by download through the ScanSafe Web Malware Scanning service.
Both the Clintons and Mercury sites exposed visitors through unknowingly hosting an iFrame (inline frame-a floating frame inserted within a Web page), that loads the malicious Trojan-Downloader.JS.Psyme.fq. It then redirects to a second infected website, www.alaqiq.net/quran/gstata/index.php?file, where a second and critical piece of malware, Trojan-Downloader.Win32.Small.mi, is executed compromising users' PCs.The entire attack is completely invisible to the user leveraging an iFrame which is a mere 1x1 pixel in size.
According to an email sent by DreamHost to its customers on June 5, a third party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts. DreamHost has recommended that its customers change their FTP account passwords immediately.
ScanSafe Threat Center reports that it is increasingly seeing legitimate sites compromised unknowingly with iFrames. Hackers often insert an iFrame through a vulnerable application, a vulnerable SSH server or FTP server. In this case ScanSafe expects the attack to continue rising until all affected FTP servers have been secured. ScanSafe is monitoring Internet traffic closely through its 8 global datacenters which are currently scanning 7 billion web requests on behalf of its customers in 40 countries.
Eldar Tuvey, CEO of ScanSafe commented 'The recent rise in these type of iFrame attack highlights the need for anti-malware solutions that scan Web traffic in real-time.Existing corporate defences which rely on outdated filtering solutions cannot keep up with the dynamic, user-generate content that characterizes today's internet, particularly Web 2.0 sites.
