Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side […]
Posts Tagged: Compromised Web Site
Sharing is caring. In this post, I’ll put the spotlight on a currently circulating, massive — thousands of sites affected — malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and successfully undermining the confidentiality and integrity of the affected users’ hosts.
Our sensors just picked up an interesting Web site infection that’s primarily targeting Brazilian users. It appears that the Web site of the Brazilian Jaqueira prefecture has been compromised, and is exposing users to a localized (to Portuguese) Web page enticing them into installing a malicious version of Adobe’s Flash player. Not surprisingly, we’ve also managed to identify approximately 63 more Brazilian Web sites that are victims to the same infection.
We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013′s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.
Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign. More details: