It’s not news to a lot of people that popular websites get compromised to serve malware through iframes. It is news to Brazilians, however. Two well-known websites were compromised a week ago to serve malware.
One of them is a phone company website. It was compromised with an iframe inserted in its home page. The code was being loaded from a website hosted in a Yahoo! Premium hosting account. It is believed the criminals themselves signed up to this account. The attack was rather simple, and only a single MDAC exploit (details here) was used. Both the telephone company and Yahoo! were notified. Yahoo! took the site down first.
The other website is a popular humor website. This time the redirect — again with an MDAC exploit — was to a compromised host. If users depended on the efforts of the website, they would still be getting infected, as the iframe code is still up even after nearly one week of notification. Thankfully, the owners of the compromised host took the file down in no time.
It does show even network operators, like phone companies, aren’t prepared to deal with such attacks. In Brazil, defacement was (and still is) very popular — the 2nd largest TV network homepage was replaced this month with a protest message. But defacements can be quickly noted, which isn’t true of malicious iframes. Defacements are also more shameful, so website owners are more likely to shut their sites down until the problem is solved. That wasn’t true of any of the iframe cases, and we had word that the phone company, for one, as aware of the problem at least 12 hours before the file was taken down.
Even though the vulnerability used was an old one, a lot of users also don’t like to update their systems due to the high levels of piracy, as well as common misconceptions (like “updates slow your computer down”). One is left to wonder how many hits those iframes — both installing bank password stealers - got.