Thursday, February 24, 2011

ICWAI site infected

After KVGBANK, now ICWAI has also been found to be the victim of an iFrame injection attack. My previous blog post reveals how famous sites from India like UPSC and KVGBANK have been compromised. These are reputable sites , which receive a high volume of traffic. This makes them an attractive target for attackers. The ultimate motivation of the attackers is to leverage the sites as a catalyst for spreading malware.

The ICWAI webpage http://www.icwai.org/icwai/docs/syllabus/cmainter.htm was found to be infected with a malicious 0 pixel iFrame. Injecting iFrames into legitimate websites has become an extremely common attack vector.

Screen-shot of the affected page:

Screen-shot of the source code :

The injected link no longer serves malware as the domain has been taken offline. The fact that the ICWAI page still contains the injected iFrame suggests that the injection vulnerability that led to the attack, may still be exposed and could lead to additional infections. Zscaler has informed ICWAI of this infection.

Screen-shot of hxxp://toneandpulse.com/check/versionl.php?t=676, the injected URL:

Fortunately, this domain has been added to the Google Safe Browsing block list. Online searches reveal information providing a clear indication that the “toneandpulse.com” domain has been used in various malware campaigns. A report from ThreatExpert shows that some of the links on this domain have been used to serve a known Trojan.

This is yet another example of the poor level of web application security, which is allowing attackers to infect legitimate, web sites with minimal effort.

Pradeep

2 comments:

Pradeep Kulkarni said...

This site appears to be clean now.

Anonymous said...

I have just done an export and sbo
worked out the conversion rates for each bucket and i find them very similar. IE as a % site speed isn't making a difference to conversionsboasia