The Web sites of several major companies have fallen victim to IFRAME injection attacks thereby placing customers at risk and revealing a huge lack of adequate application security.
According to security researcher, Dancho Danchev, who originally discovered the outbreak two weeks ago, the number of affected pages could now number well over 1 million.
Recent high profile victims with heavily trafficked Web sites include ABC News, USA Today, Target, Walmart, Circuit City, Sears, Forbes, JC Penny, Packard Bell, Bloomingdales, The Miami Herald, Patent Storm, Epinions, WebShots, and many others.
Danchev wrote that "Google is actively filtering the results \[and\] in fact removing the cached pages on number of domains when I last checked. \[That\] makes it both difficult to assess how many and which \[other\] sites are actually affected."
The attack involves injecting specific HTML code into Web forms at vulnerable sites. The backend application code that processes those forms fails to adequately sanitize the form input, thereby allowing the injected code to become part of a subsequent Web page at the site. Those pages are then indexed by major search engines and often wind up with high page ranks in search results. Unsuspecting users visit the infected pages and become victims of whatever malicious exploits reside within the pages linked to by the IFRAMEs.
"The main \[IP addresses\] behind the IFRAMEs are still active, new pieces of malware and rogue software \[are\] introduced - hosting for which is still \[driven by the Russian Business Network\], and we're definitely going to see many other sites with high page ranks targeted by a single massive \[search engine\] poisoning in a combination with IFRAME injections," Danchev concluded.
