May 1, 2012

Hardly a week goes by without news of some widespread compromise in which thousands of Web sites that share a common vulnerability are hacked and seeded with malware. Media coverage of these mass hacks usually centers on the security flaw that allowed the intrusions, but one aspect of these crimes that’s seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites.

Google-translated version of iFrameservice's homepage

Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

The customer interface for the iFramer service.

Some services, like the one offered at iframeservice.net (pictured above and at left), offer a menu of extras to help customers maintain their Web-based minefields. Iframeservice.net attempts to gain a more permanent foothold on all sites for which it is given FTP credentials, testing the sites for additional security vulnerabilities (root exploits) that may grant administrative privileges on the site’s Web server.

This service also promises to help customers stay one step ahead of antivirus companies, by monitoring URL blacklists and generating customer alerts when boobytrapped pages get flagged as malicious. In addition, it offers the automated ability to obfuscate the true destination of malicious links as a way to confuse both antivirus scanners and the legitimate administrators of the hacked sites.

A recent compromise I helped a friend deal with reminds me of a stubborn fact about hacked sites that seems relevant here. Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site.

Obviously, the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password, of course).


8 thoughts on “Service Automates Boobytrapping of Hacked Sites

  1. Emma Jenkins

    That last point (about uploading infected local web pages to one’s own website) is not obvious, and I hadn’t thought about that threat. Thanks 🙂

    Emma.

  2. Legality

    I am still baffled at the legality of such “services”. I am assuming these sorts of shady sites are hosted somewhere other than the U.S. Still, it seems rather brazen to offer such a service so publicly.

  3. Jim Walker

    Exceptional research!
    I live on the front lines of this battle with hackers every day. Your article fits in nicely with my day to day experience in clearing and fixing hacked websites. The iframeservice you mention— now that explains a great deal (thank you for the education!).

    Since January 2012, I’ve been finding more websites being hacked in an automated fashion. It used to be a lot more difficult to clear hacked sites for base64 code and the like, though this year’s more automated prepending and injections of text within PHP pages has made my job a good bit easier recovery time wise.

    That said, WordPress seems to be the favorite target for these types of operations (iframeserv, et al) since the base code is so consistent across thousands of websites. While stolen FTP passwords remain a common entry point for hacking sites, I’m finding the majority of WordPress sites are being hacked simply due to clients not managing their updates of plugins and themes appropriately.

    Best Wishes,
    Jim Walker, The Hack Repair Guy

  4. SecSquirrel

    WordPress was coded by hackers. Only lames get hacked.

  5. Hary

    I tried to access the iframeservice site its nothing appears, but accidentally when i revisit again and run my webserver (wamp) it shows my localhost files 🙂 weird..

    1. BrianKrebs Post author

      @Hary — to access the service you need to enter a specific subdomain in front of the URL, and a specific port number behind it.

  6. iframeservice

    Thank you greatly for appreciating our job that high. Anyway our software can be used for many purposes. And I treat my customers as honest people. You can even say that I’m the good, the bad and even the ugly – whatever. We test remote server’s security and provide interface for webmasters to operate their sites in a most convenient manner.

    Best regards, I really adore what you do man. That’s very ethical.

  7. Alberto

    Nice post, I started reading your blog a few months ago and found your articles both entertaining and educational.

    But I would like to point that since you are a security reference for the blog readers maybe you should update your password creation advices to recommend using also passphrases in the sites/programs that allow them (unfortunately a lot sites have a maximum password length).

    A few years ago using a “complicated” password (letters, numbers & signs) versus a passphrase was more of a preference, but since password crackers noticed that they can use modern GPU’s to speed up brute force attacks, long passwords (three or more words) are far more secure, even if they only include letters. Take a look to the numbers of this post, obtained using his gaming computer:

    http://www.codinghorror.com/blog/2012/04/speed-hashing.html

    Also, pass phrases are far easier to remember and type that complicated passwords. Just compare:

    Secure password: Unc!3B0b (rated “Strong” by Gmail, 51 bits quality by KeePass)

    Quite secure passphrase: My uncle Bob (rated “Strong” by Gmail, 67 bits quality by KeePass)

    Secure passphrase: My uncle Bob is very skinny (rated “Strong” by Gmail, 121 bits quality by KeePass)

Comments are closed.