We’ve intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that’s interestingly part of the very same infrastructure from May, 2013’s analysis of the compromise of an Indian government Web site. The good news? Not only have we got you proactively covered, but also, the iframe domain is currently redirecting to a client-side exploit serving URL that’s offline. Let’s provide some actionable intelligence on the malicious activity that is known to have originated from the same iframe campaign in the past month, indicating that the cybercriminal(s) behind it are actively multi-tasking on multiple fronts.
iframe URL: karenbrowntx.com – 18.104.22.168
Client-side exploits serving redirector: hxxp://ww2.taylorgram.com/main.php?page=3081100e9fdaf127 – known to have responded to 22.214.171.124 and most recently to 126.96.36.199
The same URL is also known to have been dropping malicious software on the hosts of affected PCs on 2012-06-12, in particular MD5: 923324a0282dd92c383f8043cec96d2d
Known to have responded to the same IP (188.8.131.52) are also the following malicious domains:
We’re also aware of the following malicious MD5s that have used the same IP as C&C server during October, 2013:
Known to have responded to the same IP (184.108.40.206) are also the following malicious domains:
We’re also aware of the following malicious MD5s that have phoned back to the same IP:
Webroot SecureAnywhere users are proactively protected from this threats.