Loading site search ...
It’s always interesting to watch how malware attacks evolve over time.
Since this spring, when I started to distinguish it from other attacks, this hidden iframe injection attack has always been among “leaders”.
- They started with gambling-related .cn domains (like cheapslotplay .cn).
- They introduced several new domains names every day so that you couldn’t hardcode them in your scanners. At this point, my records contain several hundred domains used in this attack.
- They also changed campaign names (parameters they specify in iframe URLs) regularly: mozila, banner, cocacola, pepsi, open, reopen, income.
- They used port 8080 (presumably to game dumb traffic filters that only inspect traffic on port 80).
- In the end of July, they started to use 3-letter .ru, .pl, .in and .at domains (e.g. x3y .ru, f7y .at, q5n .in, a3j .pl).
- And, finally, if you follow me on Twitter, you know that this week I started to notice 3rd-level domains registered with free dynamic DNS services.
Here are the details »»