This morning, Fraser Howard and the security researchers of Sophos Labs are reporting this discovery: The recent wave of Web site defacement attacks, including one against the outreach site for the National Cyber Security Alliance, appear to have a common source: Something is injecting malicious <IFRAME> elements into the front pages of everyday Web servers.
What makes this particular malicious injection different from thousands of others, Howard learned, is that the injected PHP code quite cleverly checks the URL and user-agent string of the requesting client, to determine whether the client is accessing the page through a search engine link, such as Google.
The reason is because Google and others are actively monitoring the destinations of their own links for activity such as Web site redirection. When the injected code sees a search engine has generated the link, it aborts the redirection process. That keeps the client from seeing the defaced page, but it also prevents the search engine from detecting that any defacement is going on.
NCSA, which was one of the targets for the attack, runs StaySafeOnline.org, whose explicit purpose is to educate users on principles for maintaining online safety. The Alliance had already declared October “National Cyber Security Awareness Month.” Still, Howard believes NCSA may not have actually been a direct target, but rather just another random victim in a recent spike.
“The incident raises some interesting questions,” Howard writes. “Most notably the malicious content being injected into the Web pages was changing over time (sometimes a straight iframe, sometimes JavaScript). This is not what you necessarily expect for hacked sites; ordinarily, pages are injected with a fixed string (for example an iframe redirect or a script).” Instead, the injected content may take one of many forms, sometimes triggering a variety of detections from anti-virus.
What malicious users are apparently learning is that it’s counter-productive for them to be concocting massive, uniform hacks that eventually get elevated to high-alert status by Sophos and others. Rather, it’s better to stay on the down-low. Defacement attacks that may only be marginally effective at the outset, may stay effective for longer periods of time. The actual damaging effect may then be accomplished cumulatively, by bunching the marginal attacks together, and ensuring the injected content never triggers the same alerts too often.
Client-side anti-virus won’t be able to detect the <IFRAME> injection until it has already happened. So it’s more important now than ever that client-side anti-malware measures monitor the behavior of Web transactions, rather than just the effects.