Death by iFrame

Hacking site 76service provides a case study in the connection between iFrames, malware, identity theft.

iFrames were the distribution mechanism used to create a large population machines infected by the form-grabbing malware variant dubbed Gozi. In fact, they’ve become a popular way to dump many varieties of malware onto unsuspecting web surfers.

iFrames are a browser feature that allows websites to deliver content from a remote website within a frame on a page. Think of stock quotes originating from one site streamed into a small box on another site.

Criminal hackers exploit this feature by building iFrames into pages that are one pixel by one pixel—invisible to the user. Inside that iFrame they can stash executable code stored at another site. Usually, the stash it’s a tiny piece of software called a downloader.

A downloader is a single redirect instruction. When a PC visits the iFramed website, the downloader is delivered from inside the invisible iFrame and it tells the browser to visit to some other IP address. Its job is done.

Usually this address contains another downloader, which repeats the process. For obfuscation purposes, this may happen several times before one of the downloaders finally points to a server containing malware. The malware is delivered through the iFrame onto the PC. This is how Gozi got on machines.

Don Jackson, the researcher at SecureWorks who discovered Gozi, knew this from the beginning of his research on the point-and-click identity theft site called 76service. 76 and Exoric, the hackers who operated 76service, contracted out for their iFrames.

iFrames are so effective and easy to implement that an entirely new business has emerged around them. Trolling a discussion board, Jackson found out that 76service contracted with a group called

They are believed to be one of the first and most important iFraming groups. Their business model is simple and familiar. They pay for clickthroughs. If you agree to host their iFrame code on your website, you receive a payout every Monday by PayPal, e-Gold, Western Union or other method. Base rates ranged from €5 a week in China, €10 in Asia and €40 for “Other world.” Payment is contingent on a minimum of 1,000 clickthroughs. (If you don’t have your own malware to deliver through the iFrames, they’ll sell you EXEs as well).

A few Euros a week doesn’t sound like much money, but most iFramebiz customers control tens or hundreds of domains, some active, some languishing. Say you owned 100 domains. You could drop the 3kb of iFrame code on all of those sites and make 500 to 4,000 euros just for letting it live there. Seeing the opportunity, some entrepreneurs are buying up domains just to host the iFrame code and then hustle to direct traffic to their sites. The iFramers also inject their iFrames into legitimate websites that have vulnerabilities which allow it to happen.

Then, with a portfolio of infected sites they turn around and sell access to their network. At the time of Jackson’s research, the going rate was one dollar per infection. No one knows how many infected sites 76service paid for. was one site that accounted for many Gozi infections, likely chosen because of its broadness and the likelihood that unsavvy users would type in that URL if they were looking for fonts. was another, according to Jackson. (Both have been cleaned up since).

Jackson and the anonymous researcher believe 76service may have paid a premium for an enhanced service—exclusive access to and management of the iFramed pages. That allowed 76 and Exoric to easily move their site around (as the good guys had forced them to) without having to constantly ask the iFramers to reconfigure the iFrames to point to new IP addresses where downloaders and malware had been moved to. It’s something like if you owned a convenience store and you moved it every so often, and you could pay for the right to set up your own detours to redirect traffic to your store’s new location.

Someone looking to deposit malware like Gozi on machines has few better options than iFrames, because of their ability to intervene without the user’s help. In a short amount of time, iFrames have become the malware distribution method of choice. Graham Clueley of the anti-virus vendor Sophos says his company’s research shows 8,000 new webpages per day, a quarter-million pages per month, hosting illicit code or activity, most of which he says, are iFrame exploits. Of those, Clueley says, 70 percent are found on legitimate websites.

iFrames have other advantages, too. Separating the distribution network from the malware, making it a service in itself, speeds up redeployment, because once a site hosts an iFrame, it remains available for distribution of any variant or new piece of malware.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)