Lack of Egress Filtering Spurs Success of Injected IFrame Attacks
The attacks in themselves are not new or novel, but their success seems to be in part because the iframes point to websites on non-standard ports. In particular, the attackers are hosting browser exploits and social engineering tricks on servers running on port 8080.
As secure web filtering is added to anti-virus products and makes inroads in gateway security products, attackers are trying to circumvent the web filters with this age-old technique. Frequently these secure web filters only operate on common ports such as port 80. By hosting a web server on an alternate port, the security may be bypassed.
For this reason, it is essential that administrators who deploy secure web filtering lock down any ports not expressly being scanned. In other words, egress firewall rules that block outbound traffic on ports that don’t have some security and content filtering, will save networks from this attack and ones like it.
At present, zvelo is detecting dozens to hundreds of newly compromised websites that have fallen victim to this attack and become conduits for attacks against their site’s visitors. More detailed information on how the attack is spreading and its links to gumblar can be found on the Unmask Parasites blog.