Invisible iFrame drive-by malware attacks explained [VIDEO]

Filed Under: Featured, Malware, Video, Vulnerability

FrameiFrames and script tags are being used by malicious hackers to serve up drive-by internet attacks, silently and invisibly.

iFrames allow webmasters to embed the content of one webpage into another, seamlessly.

There are legitimate reasons why some websites may want to do that - but what cybercriminals do is exploit the functionality (presumably they have been able to gain write access to the website) to deliver malware such as fake anti-virus or a PDF vulnerability exploit to infect your computer.

What's sneaky is that malicious hackers can make the embedded content invisible to the naked eye, by making the window zero by zero pixels in size. You can't see the threat, but your web browser is still dragging it down.

Check out the following video by our own Chet Wisniewski, which shows how malicious iFrames work:

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you want to learn more you can subscribe to our YouTube channel for similar videos. But even better than that, we hold regular "Anatomy of Attack" events where we demonstrate malware threats and you can quiz Sophos experts.

If there's not an "Anatomy of an Attack" event scheduled in your area soon, drop us a note and we'll let you know if and when one is coming to your part of the world.

Empty picture frame image from Shutterstock.

, ,

You might like

7 Responses to Invisible iFrame drive-by malware attacks explained [VIDEO]

  1. Broughton Manning · 1146 days ago

    This is great to see glad you guys are here. Is there a way, or code to pre screen, or uncover interference before it executes. Cause I don't think anti virus would cover something it's told is 'fine' don't worry about it-it's just the code. Or is there a 'thing' antivirus or other I can load into iPhone cause I don't see 'equipment' makes much difference. I still get on the net. So whats the difference. I'd like a hardware to keep data as a perfect shot that is any breeches to code sets of alarm-no load quarantine. Showing where & why this trigger happened. Ideas??? I'm going from a point of knowing nothing. Thanks.

  2. Jason · 1146 days ago

    You had me up until the point where the browser did exactly its job and BLOCKED THE THREAT and you said "well, we're going to dismiss this for now" If the browser warns you and you do it anyway, my sympathy level goes to zero.

  3. Yhg · 1075 days ago

    Jason, not all browsers warn you, it might be that IE is only one?

  4. firebear · 1017 days ago

    in firefox you can take the extension "no-script" it turns off all javascripts on the loading of a website and you can allow by domain-name wich you would like to execute.

    By the way sophos i like this site but "no-script" tells me that 18 Domains want to execute Javascript on this article. On my computer there is only 3 allowed and i can see the whole article. You tell us how dangerous it might be to allow the execution of foreign code, but what you show on this site?

  5. Gonzalo · 992 days ago

    The javascript loaded into an iframe from another domain is restricted and cannot do anything harmful other than annoy you with alerts or slow down your connection by making lots of requests. It cannot display any graphical elements to do phishing (since the iframe is 0x0), for instance.
    Not exactly a security thread.

    It's true old browsers had security issues regarding iframes but not modern ones

  6. vic · 704 days ago

    What's the point of loading js in a malicious iframe when you have access to the source code anyway.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley