Winds of change

Iframes are used on many websites legitimately, however, there are many websites where iframes are used maliciously as seen by the rise is Mal/Iframe detections. Many legitimate iframes have similar characteristics to malicious ones making detection problematic.

To help combat malicious iframes SophosLabs, in conjunction with our technology partners, scan parts of the internet looking for potentially malicious iframes. Then each day an automated script analyses them and sends an email into SophosLabs with details of the iframes.

Last week we noticed something very strange – one domain was being referenced many times more often than any other in that days batch of suspicious iframes. For the bulk of domains referenced in malicious iframes, the following characteristics are present:

  • domain is recently registered
  • registration details are peculiar
  • the site has been associated with other malicious scripts

The domain in question here however, was old and the registration details were valid (registered to a major Asian Government). Search Engine results, for this domain, indicated that it is a legitimate environmental journal. In fact, the domain’s contact email address is a governmental one.

This type of drive-by attack is on the rise and this particular example is one of the more legitimate websites I have seen hit.