In Depth

Death by iFrame

Hacking site 76service provides a case study in the connection between iFrames, malware, identity theft.

By Scott Berinato

September 01, 2007 — CSO — iFrames were the distribution mechanism used to create a large population machines infected by the form-grabbing malware variant dubbed Gozi. In fact, they’ve become a popular way to dump many varieties of malware onto unsuspecting web surfers.

iFrames are a browser feature that allows websites to deliver content from a remote website within a frame on a page. Think of stock quotes originating from one site streamed into a small box on another site.

Criminal hackers exploit this feature by building iFrames into pages that are one pixel by one pixel—invisible to the user. Inside that iFrame they can stash executable code stored at another site. Usually, the stash it’s a tiny piece of software called a downloader.

A downloader is a single redirect instruction. When a PC visits the iFramed website, the downloader is delivered from inside the invisible iFrame and it tells the browser to visit to some other IP address. Its job is done.

Usually this address contains another downloader, which repeats the process. For obfuscation purposes, this may happen several times before one of the downloaders finally points to a server containing malware. The malware is delivered through the iFrame onto the PC. This is how Gozi got on machines.

Don Jackson, the researcher at SecureWorks who discovered Gozi, knew this from the beginning of his research on the point-and-click identity theft site called 76service. 76 and Exoric, the hackers who operated 76service, contracted out for their iFrames.

iFrames are so effective and easy to implement that an entirely new business has emerged around them. Trolling a discussion board, Jackson found out that 76service contracted with a group called iFramebiz.com.

They are believed to be one of the first and most important iFraming groups. Their business model is simple and familiar. They pay for clickthroughs. If you agree to host their iFrame code on your website, you receive a payout every Monday by PayPal, e-Gold, Western Union or other method. Base rates ranged from €5 a week in China, €10 in Asia and €40 for “Other world.” Payment is contingent on a minimum of 1,000 clickthroughs. (If you don’t have your own malware to deliver through the iFrames, they’ll sell you EXEs as well).

A few Euros a week doesn’t sound like much money, but most iFramebiz customers control tens or hundreds of domains, some active, some languishing. Say you owned 100 domains. You could drop the 3kb of iFrame code on all of those sites and make 500 to 4,000 euros just for letting it live there. Seeing the opportunity, some entrepreneurs are buying up domains just to host the iFrame code and then hustle to direct traffic to their sites. The iFramers also inject their iFrames into legitimate websites that have vulnerabilities which allow it to happen.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Inside the Global Hacker Service Economy
• A Layman's Glossary of Malware Terms
• Screenshots: 76Service and Gozi (cio.com)