Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Numbers of legitimate Web sites have again succumbed to another case of iFrame Search Engine Optimization (SEO) poisoning. Among those reported compromised were the Washington State University site and several news sites such as Sun Gazette and Tribune-Chronicle. Proof is the following screenshot which shows how many search results turned up when the unlikely search term “” is used:

    This is yet another incident following what looks like a never-ending string of attacks that has compromised high-profile Web sites such as ZDNet Asia and TorrentReactor early last month. Shortly after, and also got affected and was then followed by another attack, this time affecting a number of news Web sites. This may suggest that cyber criminals, apart from taking advantage of this SEO vulnerability are also testing which type of Web sites they may get more out of. From social networking and entertainment to news and education, the trend may depend on where cyber criminals think the traffic is at.

    Trend Micro detects the JavaScript in the inserted iFrame tags as JS_IFRAME.US. It then downloads a file from the URL http://www.{BLOCKED} which is detected as JS_DLOADER.TVP. This in turn downloads a file detected as JS_NEVAR.A.

    Further investigations by Trend Micro Researchers reveal that the tool used in conducting this massive attack is not new, but in fact was already used in a similar attack last year. The toolkit that previously used the domain and compromised hundreds of Web sites in November last year is the same toolkit used in this attack, this time using the domain This is a screenshot of one of the tools:

    This recent turn of events shows that cyber criminals are clearly capitalizing on this method of distributing malware. More than 40% of Web threat incidents both in January and February involved the use of legitimate Web sites to distribute malware, with most affected sites related to social networking and entertainment. However in March, almost all incidents involved the compromising of legitimate Web sites, this time affecting Web sites related to education. USA Today also reported that several hundred thousands of corrupted Web pages returned by common Google search queries were found by security researchers in March alone.

    Despite this clear involvement of Google in this malware distribution, security researchers have taken Google’s side on the case, saying that the search engine is not directly responsible to these attacks. This I believe still does not put Google off the hook; the search engine being used as a channel for malware distribution seriously calls for the development of security measures.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice