Monday, March 31, 2008

Phishing Pages for Every Bank are a Commodity

A new phishing scam is currently in the wild, emails pretending to be from Bank of ****** were detected by *****, anti spam vendors are indicating a tremendous increase in phishing emails during the last quarter - phishing headlines as usual, isn't it? Phishing is logically supposed to increase, the convergence of phishing and bankers malware is already happening, segmentation of the emails database is only starting to take place, and it's not that a perticular brand is targeted more efficiently than other - they're all getting targeted. In 2008, phishing pages for each and every bank are a commodity, anyone can download them, modify them to have the stolen data forwarded to a third-party, backdoor them to have phishers scamming the phishers, facts that are shifting the emphasis on the segmentation, malicious economies of scale concept, the spamming process of phishing emails, and of course, the arms race between the targeted brands and the phishers in terms of catching up with each other's activities.

In the very same way, malware authors apply Quality and Assurance practices to their malware releases by sandboxing, making sure they have a low detection rate by scanning them with all the anti virus scanners available, as well as ensuring they'll phone back home through bypassing the most popular firewalls, phishers tend to put a lot of efforts into coming up with the very latest fake phishing pages of each and every brand or financial institution. What you see in the attached screenshot is a detailed description of the exact type of information the phishing page is capable of collecting, and when it was last updated. And while the question to some has to do with the number of people getting tricked by phishing emails, coming across such regularly updated repositories makes me think how many people are getting tricked by outdated phishing pages.

The logical questions follows - why would a phisher simply release the very latest phishing pages for a multitude of brands to be targeted in the wild for free, next to keeping them private for his very own private phishing purposes? Take web malware exploitation kits for instance, and the moment when once they turned into a commodity, they started getting used as a bargain in many other deals. In the phishing pages case, once the "product" is offered for free, the "service" in this case the possible segmentation and spamming as a process comes with a price tag.

And while someone's currently using these freely available phishing pages, others are selling them to those unaware that they're actually a commodity and come free, and someone else is using them in a bargain deal offering them as a bonus for purchasing another underground good or service to an uninformed bargain hunter again not knowing that what's offered as bonus is actually available for free - the dynamics of the underground economy in full scale.

Related posts:
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing

The Epileptics Forum Attack

Now that's a weird example of a successful targeted attack abusing epileptics' photo sensitivity. Hackers post seizure causing flashing images at an Epileptics forum :

"Internet griefers descended on an epilepsy support message board last weekend and used JavaScript code and flashing computer animation to trigger migraine headaches and seizures in some users. The nonprofit Epilepsy Foundation, which runs the forum, briefly closed the site Sunday to purge the offending messages and to boost security. The incident, possibly the first computer attack to inflict physical harm on the victims, began Saturday, March 22, when attackers used a script to post hundreds of messages embedded with flashing animated gifs."

Mentioning the attack would mean nothing if I'm not to provide screenshots of the forum postings courtesy of user Pedrobear, and the actual seizure image used, which in the case of this attack was pics.ohlawd.net/img/seizure.gif. And if you think seizure.gif is mean, optical illusions such as this one can cause the same effects to everyone if you're to stare at it for more than five seconds.

Friday, March 28, 2008

Massive IFRAME SEO Poisoning Attack Continuing

Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.

What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.


Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

Which are the main IPs injected as IFRAME redirection points?

72.232.39.252
NetRange: 72.232.0.0 - 72.233.127.255
CIDR: 72.232.0.0/16, 72.233.0.0/17
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: abuse@layeredtech.com

195.225.178.21
route: 195.225.176.0/22
descr: NETCATHOST (full block)
mnt-routes: WZNET-MNT
mnt-routes: NETCATHOST-MNT
origin: AS31159
notify: vs@netcathost.com
remarks: Abuse contacts: abuse@netcathost.com

89.149.243.201
inetnum: 89.149.241.0 - 89.149.244.255
netname: NETDIRECT-NET
remarks: INFRA-AW
admin-c: WW200-RIPE
tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619

89.149.220.85
inetnum: 89.149.220.0 - 89.149.221.255
netname: NETDIRECT-NET
remarks: INFRA-AW
admin-c: WW200-RIPE
tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619

Newly introduced malware serving domains upon loading the IFRAMES :

mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 (85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :

Scanners Result: Result: 12/32 (37.5%)
Suspicious:W32/Malware!Gemini; W32/BHO.BVW
File size: 107536 bytes
MD5: e50f2c9874a128d4c15e72d26c78352c
SHA1: 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8a

Moreover gift-vip.net/images/index1.php (195.225.178.19) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) :

Scanners Result: 2/32 (6.25%)
JS.Feebs.rv; JS/Feebs.gen2 @ MM
File size: 16098 bytes
MD5: 64bbd8ba8a0c9ce009d19f5b8c9d426e
SHA1: 1b313198ef140d2c74f36aa84c13afe9497865b6

We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (119.42.149.22) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (119.42.149.22)

Scanners Result : Result: 11/32 (34.38%)
Trojan.Crypt.AN; FraudTool.Win32.UltimateDefender.cm
File size: 61440 bytes
MD5: 5d83515199803e1fbcd3d2d8e0cd4ce5
SHA1: 4c1f0eba4be895cf3b018e41fa7f13523424874d

Last but not least is d08r.cn (203.174.83.55) a new domain introduced within the IFRAMES, which is also responding to, another scammy ecosystem :

07search.com
5m9h41.com
a666hosting.info
gzoe7w.com
l6q7x6.com
nashepivo.com
nbb3g1.com
sraly.com
uvilo.com
vmksxo.com
credits-counselor.com
hx0k21.com
mob-shop.net
smart-search.net

For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.

The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.

Related posts:
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack

Press coverage:
Symantec's Internet Threat Meter
Major Web sites hit with growing Web attack
Audit Your Web Server Lately?
Hackers expand massive IFrame attack to prime sites
Major Web Sites Hit with Growing Web Attack
Major Sites Hit with IFRAME Injection Attacks
Researcher - IFRAME Redirect Attacks Escalate
An Update to the IFRAME SEO Poisoning
Massive Web Server Hack
Massive IFRAME Continues to Hit Top Sites
Attackers booby-trap searches at top Web sites
Several Major Websites Affected By Major Iframe Attack
Web Security Scanning Is Paramount
SEO poisoning attack hits big sites; Can the defenses scale?
Hackers step up search results attack
Tale of the IFRAME Continues

Tuesday, March 25, 2008

A Localized Bankers Malware Campaign

Just like the Targeted Spamming of Bankers Malware campaign that I exposed in November 2007, in this post I'll assess another targeted, but also localized to Portuguese campaign with a decent degree of cyber deception applied. It appears that the latest round has been spammed two days ago, but expanding their ecosystem reveals evidence of more bankers malware on behalf of the same malicious parties. What's particularly interesting about this campaign, is that they're using a hardcoded list of already breached email accounts of mostly Brazilian users, and using it as a foundation for the distribution of the malware under the clean IP reputation - which explains why the email makes it through anti-spam filters. The message impersonating Hotmail could have been easily outsourced as a translation process, as I've already pointed out in a previous post emphasizing on acquiring cultural diversity on demand for malicious malware, spam and phishing purposes. However, in this case it's more important to emphasize on the targeted nature of the campaign, and the use of a Russian free web space provider as a hosting provider for the malware.

Now on the cyber deception issue. Basically, you have a malware campaign targeting Portuguese speaking end users, that's been emailed using Brazilian mail servers through a set of hardcoded and already breached local email acounts, it's serving fake bank logins of a Portuguese bank, whereas the malicious parties are using a Russian free web space provider, front.ru in this case as a reliable and outsourced approach to host the malware malware. Is this an example of the maturing consolidation betweeen spammers, phishers and malware authors, or is someone trying to engineer cyber crime tensions? I'd go for the second, the command and control of this banker malware is hiding behind a fake image file, and is all in Portuguese, the way the emails where the stolen information or notifications per infection are descripted in Portuguese. Moreover, within several of the subdomains hosted at front.ru, there're also pages pushing bankers malware through a fake Apaixonado Big Brother Brazil 2008 pages. So you have a South American malicious party generating noise on behalf of Russia's overall bad reputation in respect to malware. Here are more details from this campaign :

Subject: Cancelamento de E-Mail
Message: "Ola usuario, informamos que no dia 24 de Marco de 2008, a Equipe Hotmail alterou o conteudo dos "Termos e Condicoes de uso" e por isso tem a obrigacao de comunicar este fato a todos os usuarios que utilizam frequentemente seu Windows Live ID. Seu Windows Live ID esta associado a sua conta Hotmail.com, caso nao aceite os novos "Termos e Condicoes de uso" podera perder sua conta. (Porque posso perder minha conta?) Li e aceito os termos e condicoes de uso Nao aceito os termos e condicoes de uso Atenciosamente, Equipe Hotmail"
Sent from: knight.bs2.com.br
Banker location: suport022.front.ru/flashcard/ list.exe

Scanners Result: 13/32 (40.62%)
TR/Spy.Banker.Gen; Trojan-Spy.Win32.Banker.JU
File size: 3339776 bytes
MD5: e00b1cd654b5b3fd5c8a1f5e71939a04
SHA1: cc11a030e868ece65769e177616cbebfb239bee6

It's also interesting to note that this campaign's been aiming to stay beneath the radar, not just by localizing the campaign itself and distributing the malware in a targeted nature, but by using a minimalistic spamming practices as you can see in the screenshot indicating a modest binary change in between three days or so. However, based on the identical mutex created by several different malware samples, and the free web space hosting provider used, I was able to locate more banker malwares created by the same malicious parties, again using front.ru as a hosting provider for more bankers malware under the following locations :

www-orkut-compronfiles-aspxuids-.front.ru/ lkjhgterri.com
www-orkut-compronfiles-aspxuids-.front.ru/ plugins.com
www-orkut-compronfiles-aspxuids-.front.ru/ remote.com
www-orkut-compronfiles-aspxuids-.front.ru/ pro.com
www-orkut-compronfiles-aspxuids.front.ru
www-orkut-comprofile-aspxuid.front.ru
albumfotos.front.ru/ winupdate.exe
gsnet.front.ru/ gm.exe
informes2000.front.ru/ robin.exe

The cute part is that the malicious parties behind it allow anyone to take a peek at the list of breached email accounts and the associated passwords due to the usual misconfiguration on their server, allowing me to come up with the C&Cs update locations, predefined message to be included within upcoming campaigns, and the email addresses used for internal purposes, like the following -

IPs used in the C&Cs hiding behind .jpg files :

75.125.251.36
75.125.251.38
75.125.251.40

The fake bank logins locations found within the configuration :

75.125.251.40/home/it/it.html
75.125.251.40/home/it/it2.html
75.125.251.40/home/it/iutb.html
75.125.251.40/home/br/bj1.html

Internal hardcoded email addresses :

receiver.guzano@ gmail.com
receiver.smtp@ gmail.com
ladrao.contatos@ gmail.com
urls.file@ gmail.com
receiver.guzano@ gmail.com

The bottom line, the campaign is well organized, primarily targeting Portuguese speaking end users, is being spammed from stolen email accounts, and has its malware hosted on a Russian free web space provider. Perhaps the only thing it's missing is a better segmented emails database that would have improved the success rate especially from a targeted perspective. As in the majority of malware campaigns, it's their common pattern that leads to the exposure of the entire ecosystem of who's who and what's what.

Thursday, March 20, 2008

Cybersquatting Security Vendors for Fraudulent Purposes

Just like the creative typosquatting coming up with domain names spoofing the structure of PayPal and Ebay's web applications I covered in a previous post, this most recent example of cybersquatting is yet another example of how impersonating known and trusted brands can not only damage their reputation if the campaign's not taken care of fast enough, but can also result in actual adware infection. Who's getting targeted in this campaign? PandaSecurity, McAfee, Adobe Acrobat, and several other third party applications. It seems that IBSOFTWARE CYPRUS is keeping the entire domains portfolio undercover for the time being, with a great deal of these domains returning 403 forbidden messages. However, there are several domains that are actually serving the fake E-shops. This minimalistic approach on behalf of the malicious parties may have proved valuable if the domains were hosted on different IPs, however, they're all hosted on a single IP. The type of "pay us and we'll point you to the download location" scheme applied here is a bit moronic, in fact the template nature of the E-shop does not know what healthy competition means as you can see in the screenshot above. Here are the domains themselves :


PandaSecurity -
pandaantivirus2008.com
panda-antivirus-2008.com
pandasecurity2008.com
pandaantivirus-2008.com
panda-anti-virus.com
panda-2008.com
antivirus-panda-suite.com
panda-ib.com
panda-2008.com
panda-anti-virus.com
panda-antivirus-2007.com
panda-antivirus-2008.net
panda-bdl.com
panda-ib.com
panda-suite.com
pandaantivirus-2007.com
pandaantivirus-2008.com
pandaantivirus-ib.com
pandaantivirus2008.com
pandasecurity2008.com
pandashield.com
pandasuite2007.com
panda-bundle.com
pandabundle.com
pandasecuritysoftware.com
pandasecuritysoftware.net

McAfee -
mcafeepack.com
download-mcafee.com
mcafeebundle.com
mcafee-antivirus-2007.com
mcafee-internetsecurity.com
mcafee-suite.com
mcafee-suite2007.com
mcafeeantivirus2007.com
mcafeesuite-2007.com
mcafeesuite2007.com

Adobe Acrobat -
adobeacrobatreader-8.com
adobe-reader-it.com
acrobatdownload-ib.com
adobeacrobatpack.com
acrobat8download.com

Misc Cybersquatted software -
virusscan2007.com
virusscan2k7.com
virusscan2k8.com
virusscanxp.com
xp-secure.com
netdetectiveservices.info
download-ad-aware.com
antispyware-2007.com
antivirus-2007.com
netspyprotector.com
adwarepro.com
antispyware007.com
anti-virus-free.net
antivirus2k7.com
antivirus2k8.com
avastantivirus-pro.com
avg-antivirus-ib.com

What is Interactive Brands Inc?

"Interactive Brands is a privately held corporation formed by a team of experienced professionals who strive to offer the “ultimate” interactive shopping experience to internet users around the world. In partnership with the best software publishers, Interactive Brands develops unique and high value offers for the benefit of all computer users. In the spirit of giving the best shopping experience possible, Interactive Brands offers their clients access to a customer support center available by toll free number, email and live chat that covers any inquiry including: downloading, installing, using and any other questions regarding our products."

Interactive Brands Inc.
PO Box 178, St-Laurent, Quebec
H4L 4V5, Canada
Phone: : +1 (514) 733-2549
Fax: +1 514 733 2533

The billing center is located at panda-ib.com which loads b-softwares.com and bundlesmembersarea.com. 90% of the domains are hosted on a single IP - 63.243.188.82, however, the entire netblock is a scammy system by itself with several hundred more such cybersquatted domains.

Don't be cheap, if you're to buy any kind of software, do so through the official site, and cut the fraudulent intermediaries like the ones in this case. Read more about Interactive Brands at the Ripoff Report : Interactive Brands, Adaware-ib.com Rip-off; Report: Interactive Brands; Report: Interactive Brands. Lavasoft's and Avira's comments on the case as well.

Wednesday, March 19, 2008

A Portfolio of Fake Video Codecs

Shall we expose a huge domains portfolio of fake/rogue video codecs hosting the same Zlob variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means? But of course. As I've pointed out in a previous post, on the tactical warfare front the output of a malicious IFRAME campaign is often neglected from the perspective of lacking the two/three layered IFRAME-ing and redirection that the malicious parties usually implement at the beginning of the campaign. Basically, the over twenty fake video codecs domains are hosting the same binary in the form of a Zlob malware downloader, infrastructure courtesy of the RBN's used ATRIVO (64.28.176.0/20). Currently active domains hosting the" DVDAccess codec", namely a Zlob malware variant :


pornqaz.com
uinsex.com
qazsex.com
sexwhite.net
lightporn.net
xeroporn.com
brakeporn.net
sexclean.net
delfiporn.net
pornfire.net
redcodec.net
democodec.com
delficodec.com
turbocodec.net
gamecodec.com
blackcodec.net
xerocodec.com
ixcodec.net
codecdemo.com
ixcodec.com
citycodec.com
codecthe.com
codecnitro.com
codecbest.com
codecspace.com
popcodec.net
uincodec.com
xhcodec.com
stormcodec.net
codecmega.com
whitecodec.com
jetcodec.com
endcodec.com
abccodec.com
codecred.net
cleancodec.com
herocodec.com
nicecodec.com

DVDaccess's pitch : "DVDaccess is a multimedia software that allowa access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. DVDaccess will highly increase quality of video files you play. DVDaccess enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds."

Scanner results
: 39% Scanner (14/36) found malware!
File Size : 74823 byte
MD5 : 30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7

Why are the malicious parties so KISS oriented at the end of every campaign, compared to the complexity and tactical warfare tricking automated malware harvesting approaches within the beginning of the campaign? Because they're not even considering the possibility of proactively detecting the output of the many other malware campaigns to come, which will inevitable be ending up to these very same domains serving a single Zlob variant. Just like the recent massive IFRAME attacks, where in between the live exploit URLs and rogue security software, the end users were redirected to DVDaccess as well. In fact, the massive IFRAME attack campaign was, and continues to redirect to one of the domains in the portfolio I've just provided you with.

Tuesday, March 18, 2008

Terror on the Internet - Conflict of Interest

Insightful article by Greg Goth, discussing various aspects of the pros and cons of monitoring cyber jihadist sites next to shutting them down, as well as mentioning my analysis of the Mujahideen Secrets encryption tool v1.0 and v2.0. Terror on the Internet: A Complex Issue, and Getting Harder :

"Indeed, politicians around the world call at regular intervals for terrorist websites to be removed from their host sites’ servers or for search engines to block access to them. They also call for laws that would make posting instructions on how to kill or maim people or destroy property punishable by law. Franco Frattini, the European Commission’s Vice President for Freedom, Justice, and Security, called for a prohibition on websites that post bomb-making instructions in September 2007. And just as quickly, he rushed to announce that in doing so he was not trying to impinge on freedom of speech or information access or to inhibit law enforcement agencies from monitoring sites."

There're three perspectives related to cyber jihad, should the virtual communities be shut down, monitored, or censored so that they cannot be accessed by people who would potentially get radicalized and brainwashed by the amazingly well created propaganda in the form of interactive multimedia? Given the different mandates given to different intelligence services and independent researchers, is where the conflict of interest begins. Moreover, don't forget that independent researchers sometimes come up with the final piece of the puzzle to have an intelligence agency come up with the big picture in a cost-effective and timely manner, given they actually believe in OSINT and trust the source of the intell data of course. Now, picture the situation where an intelligence agency is shutting down cyber jihadist sites on a large scale not believing in the value that the intelligence data they they could provide, another one given a mandate to censor cyber jihadist communities compiling reports stating that someone's shutting them down before they could even censor them, and a third one who would have to again play cat and mouse game the locate them once they've shut down by the first intel agency already. Ironic or not, different mandates and empowerment is where the contradiction begins. Let's discuss the three mandates and go in-depth into the pros and cons of each of them to come up with a philosophic solution to the problem, as I belive it's perhaps the only way to provoke some thought on the best variant.

Shutting the communities down -
Before shuting them down you need to know where they are, their neighbourhood of supporters who will indirectly tip you on the their latest location once they have their previous domain shut down. Personal experience and third party research indicates that over 90% of the cyber jihadist communities/blogs are hosted by U.S based not owned companies. And with the lack of real-time intell sharing between the agencies themselves, the first who picks up the community will be responsible for its faith, literally. But in reality, preserving the integrity of a cyber jihadist community, and convincing the right people that balanced monitoring next to shutting it down is more beneficial, remains an idea yet to be considered. Back in 2007, I did an experiment, namely I crawled ten cyber jihadist forums and blogs and extracted all the outgoing links from these communities to see their preferred choice for online video and files hosting. A couple of months later, the communities got shut down, so when the same thing happened while I was crawling the Global Islamic Media Front's, and Inshallahshaheed's web presence, it became clear that while some are crawling, and others censoring, third parties are shutting them down.

The bottom line - shutting them down doesn't mean that they'll dissapear and will never come back, exactly the opposite. Personal experience while handling the Global Islamic Media Front is perhaps the perfect and best hands-on experience on the benefits of shutting them down, given you've built enough convidence in your abilities to locate their new location. If you think that the cyber jihadist site or community you're currently monitoring is a star, look above, it's full of starts everywhere, once you start drawing the lines between them, a figure of something known emerges, in this case once a cyber jihadist community is shut down, its most loyal and closely connected cyber jihadist communities will expose their intimate connection not by just starting to promote their new location online, but even better, you'll have them use the second cyber jihadist community to directly reach their audience by the time they set up the new location and resume the propaganda and radicalization.

There's no shortage of cyber jihadist blogs, forums and sites, and personal experience shows that upon having a cyber jihadist community shut down, they re-appear at another location. It's shut down again, it re-appears for a second time. I've seen this situation with Instahaleed and GIMF, and each and every time they had their blogs and sites removed from their hosting providers, mainly because it's rather disturbing that the majority of such communities are hosted on U.S servers, it's this short time frame which will either lead you to their new location, you risk loosing their tracks. However, the vivid supporters of PSYOPs are logically visionary enough to understand what does undermining their audiences' confidence in the community's capability to remain online means.

Monitoring the communities -
In order to reach the "shut it down or monitor it" stage in your analysis process, you really need to know where the cyber jihadists forums and sites are, else, you will be wasting your time, money and energy to create fake cyber jihadist communities in the form of web honeypots for jihadist communication. Monitoring is tricky, especially when you don't know what you're looking for, don't prioritize, don't have a contingency plan or an offline copy of the communitiy and wrongly building confidence in its ability to remain online. Moreover, monitoring for too long results in terrabytes of noise, and from a psychological perspective sometimes the rush for yet another fancy social networking graph to better communicate the collected data, ends up in the worst possible way - you miss the tipping point moment.

Censoring the communities -
I often come across wishful comments in the lines of "blocking access to bomb and poison making tutorials", missing a very important point, namely, that these very same manuals, and jihadist magazines are not residing in a cyber-jihad.com/bomb-making-guide.zip domain and file extension form, making the process a bit more complex to realize. Unless of course the censorship systems figures out ways to detect the content in password encrypted archive files served with random file names and hosted on one of the hundreds free web space providers. Then again, given the factual evidence that cyber jihadists are encouraging the use of Internet anonymization services and software, your censorship efforts will remain futile.

As I'm posting this overview of various ways of handling cyber jihadist communities, yet another community is starting to attract cyber jihadists, thanks to their understanding of noise generation by teaching the novice cyber jihadists on the basics of running and maintaing such a community. What's perhaps most important to keep in mind is that, what you're currently analyzing, trying to shut down or censor whatsoever, is the public web, the Dark Web, the one closed behind authentication and invite-only access yet remains to be located and properly analyzed. If cyber jihad is really a priority, then there's nothing more effective than the combination of independent researchers and intelligence analysts.

Internet PSYOPS - Psychological Operations
A Botnet of Infected Terrorists?
Infecting Terrorist Suspects with Malware
The Dark Web and Cyber Jihad
Cyber Jihadist Hacking Teams
Cyberterrorism - don't stereotype and it's there
Tracking Down Internet Terrorist Propaganda
Arabic Extremist Group Forum Messages' Characteristics
Cyber Terrorism Communications and Propaganda
Techno Imperialism and the Effect of Cyberterrorism
A Cost-Benefit Analysis of Cyber Terrorism
Current State of Internet Jihad
Characteristics of Islamist Websites
Hezbollah's DNS Service Providers from 1998 to 2006
Full List of Hezbollah's Internet Sites
Cyber Traps for Wannabe Jihadists
Mujahideen Secrets Encryption Tool
An Analysis of the Technical Mujahid Issue One
An Analysis of the Technical Mujahid Issue Two
Terrorist Groups' Brand Identities
A List of Terrorists' Blogs
Jihadists' Anonymous Internet Surfing Preferences
Samping Jihadist IPs
Cyber Jihadists' and TOR
A Cyber Jihadist DoS Tool
GIMF Now Permanently Shut Down
Steganography and Cyber Terrorism Communications

Monday, March 17, 2008

PR Storm - Mass iFRAME Injectable Attacks

Here's some recent media coverage regarding the SEO poisoning attack through exploiting the ABC of web application security, namely input validation, a good example of tactical warfare combing two different attack tactics, blackhat SEO for traffic acquisition and abusing input validation for injecting iFRAMES, and abusing the sites' search engine optimization practices of storing the now input violated pages. Meanwhile, Iftach Amit at Finjan points out that as it looks like we were on the same page. Here's Google's comment regarding these incidents provided to Finjan :

"Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: "Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants."

The responsible full-disclosure, namely disclosing and every domain affected, the IPs of the malicious domains used in the redirection, and obtained a sampled result of where are the domains actually leading to, should have had the effect it's supposed to - raise awareness and put responsible pressure on the people involved in taking care of making sure no one can submit executable commands that will later on get cached, and load, such as iFRAMES in this case. Most of all, these are high page rank-ed sites, namely the junk that they submit is appearing within the first 10/20 search results and is getting crawled within hours upon submitting it, and therefore it must be taken care of as soon as possible, on multiple fronts.

- The Other iframe attack
- Optimizing Cross Site Scripting - and general security practices
- Follow up to yesterday's mass hack attack
- Hackers launch massive IFrame attack
- SEO poisoning attacks growing
- Attackers hijacking web site search engines to push malware; German article
- Developers: Check Your %*^& Inputs
- Researcher: Beware of massive IFrame attack
- iFrame attacks: Blame your Web admin guy
- More Search Results Getting iFRAMEd
- Ongoing IFrame attack proving difficult to kill
- Injection attacks target legit websites - twenty-nine thousand sites and counting
- Mass Hack Hits 200,000 Web Pages
- 200.000 nettsider hacket

In an upcoming post, I'll expose many other such fake codecs about to get included in future campaigns, and emphasize on the dynamics of orchestrating such a malicious campaign, namely keep it as sophisticated and as deep-linking/deep-iframing as possible to confuse automated malware aggregation approaches at the beginning of the campaign, and Keep it Simple Stupid at the very end of the campaign.

Malicious economies of scale means an efficient and standardized attack approach, take Rock Phish for instance, but it also means an easy way to detect and mitigate certain threats. In this malicious campaing for instance, nearly all the bogus .info domains with several exceptions are operating within the same netblock, and continue doing so. And the exceptions? It's all a matter of perspective, whether or not you believe having a RBN hosted domain within the actual iFRAME, or the result of the iFRAME redirection in terms of importance.

Wednesday, March 12, 2008

Embedded Malware at Bloggies Awards Site

The "window of opportunity" for traffic acquisition by taking advantage of a huge anticipated traffic is something malicious parties always find adaptive ways to take advantage of. Back in December, 2007, the same event based malware embedded attack appeared at a French government's site covering France/Libya relations right in the middle of Libya's leader visit in the country. My detailed analysis back then revealed details of the usual RBN connection, with IFRAME hosts switchng between HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah Internet Hizmetleri, to surprisingly end up to the New Media Malware Gang original IP, futher confirming the existence of what's now a diverse ecosystem.

The same timely malware embedded attack happened at the top of the Annual Weblog Awards site - The Bloggies as TrendMicro assessed on Monday :

"The Web site of the Annual Weblogs Awards — more informally known as the Bloggies — was hacked recently, serving up a malicious Javascript to its visitors. This happened on the eve of the award ceremony, as reported in NEWS.com.au."

An embedded malware screenshot is worth a thousand words, so here it goes attached, and IcePack's now easily detectable module :

Scanner results : 47% Scanner(17/36) found malware!
File Size : 10666 byte
MD5 : 0860a1f5f1b27db14fedbfc979399fa4
SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5
HTML/Psyme.Gen; Trojan-Downloader.JS.Agent.et

Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to 202.75.38.150, and besides the descriptive IcePack host, the IP also responds to the following domains :

bigsavingpharmacy.com
infosecurestatus.com
pharmacysuperdiscount.com
rspectrum.name
sicil.info
sicil256.info
superdiscountpills.com
mydnsweb.net
thegogosearch.com

So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info was the main domain behind the Syrian Embassy in the U.K malware embedded attack. Back then, sicil.info was responding to 203.121.79.71, and now to 202.75.38.150, switching locations doesn't mean a clean domain reputation anyway.

More High Profile Sites IFRAME Injected

The ongoing monitoring of this campaign reveals that the group is continuing to expand the campaign, introducing over a hundred new bogus .info domains acting as traffic redirection points to the campaigns hardcoded within the secondary redirection point, in this case radt.info where a new malware variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines :


NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

This sample of the newly introduced .info domains reside on the same netblock as the previous ones - 75.125.181.0/255 a KISS strategy making it easier to respond to this incident. Best of all, they further expand the campaign since they're injected in plain text, next to javascript obfuscated, this time embedded malware :

hickey.info
kbst.info
sezejc.info
mloqrd.info
mqghrd.info
ymrxwd.info
fsqpsm.info
haxkwd.info
aagpcw.info
zdksgj.info
cgjttz.info
hkedny.info
kbsxet.info
wapdjw.info
kbsxet.info
tdwham.info
mqghrd.info
dhqjdz.info
bhrsaa.info
jramae.info
wmtwes.info
tacpmh.info
qwhhxq.info
gmjett.info
hkedny.info
rerkqz.info
bhrsaa.info
txmwxb.info
psyckr.info
jramae.info
nhwdrh.info
cqqxkh.info
stysqf.info
tgzyqz.info
kbsxet.info
cgjttz.info
tazbhk.info
kbsxet.info

Each of the these is loading a secondary domain, which is then taking us to two more before finally reaching the Zlob variant. In this case it's radt.info (75.125.208.243) with several campaigns currently up and running, pointing to the same fake codec. And the samples redirects upon visiting these as follows :

seivomerutam.info/Free-Paris-Hilton-Nude-Pics/
seivomerutam.info/spam/

all of which ultimately redirect to :

porn-popular.com
(64.28.185.78) where the Zlob variant in the face of a fake codec, is downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an Active X object.

Scanner results : 22% Scanner(8/36) found malware!
File Name : democodec1292.exe
File Size : 74823 byte
MD5 : 30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7
Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx

It gets even more interesting as according to Computer Associates :

"This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121. If you use a static IP address, CA AntiSpyware will set your DNS server to 198.6.1.1 to prevent your DNS queries from continuing to go through the rogue DNS servers. Please change your DNS server to the DNS server provided by your IP or Network Administrator."

What this means is that known Russian Business Network netblocks are receiving all the re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale pharming attack by infecting the weakest link, the end user from the perspective of using rogue DNS servers, a much more effective but noisy approach.

To sum up - it's a mess that I'll continue trying to structure, and it's a single group exploiting input validation capability within the sites' search engines we're talking about. With this segmented targeting of sites with high page ranks, and their persistance, is already positioning hundreds of thousands of keywords within the top search results, with the targeted sites are acting as the redirectors to the malware locations.

Loads.cc's DDoS for Hire Service

Snakes never whisper in one another's ear - it's supposed to tickle. In a blog post yesterday, Sunbelt Labs pointed out on the re-emergence of the Botnet on Demand Service that I covered last year. It's great to see we're on the same page, or wiki article as we can always expand the discussion. In need of more such fancy snakes admin panels courtesy of a web based malware C&C? Here are four more related :

legendarypornmovies.net/ts (88.85.81.211)
slutl.com/ts (88.85.78.7)
cwazo.net/ts (83.222.14.218)
oin.ru/ts (194.135.105.203)

Now the juicy details regarding loads.cc. During the time of posting this, the malicious domain is starting to redirect to a very descriptive one, which basically says "given up on ddos-ing", and a featured ad in between loads.cc's old interface is pitching the new service - contextual advertising consultations, as you can see in the attached screenshot. Apparently, a little more in-depth research acts as public pressure, especially when they're lazy enough to have a great deal of malware variants "phone back home" to their promotional domain. However, the current one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as DNS server provided by Layered Technologies again confirming the Russian Business Network connection since, both, Layered Technologies and SoftLayer are known to have been and continue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected counter at the stats section continues reporting new additions.

Being one of the most venerable examples of DDoS for hire services, it's worth reposting its FAQ in an automatically translated fashion, so that a better perspective to the dynamics of offering such services is provided to the readers. Here's the FAQ on using the service, which is relatively easy to understand :

- All that is pure downloads nothing is loaded simultaneously

- The "mix" is not Buro countries on specified individual prices

- Loaded only those countries which are specified in the problem

- The country is determined to maxmind geoip

- When it ALL loaded all countries and the price of downloads is calculated separately for each country that is DE for the download you pay for a $ 0.2 PE 0.03

- Prices for downloads can sometimes vary slightly this watch themselves

- As such, the concept of mix does not exist, each country has its own price, and if the country is not clearly specified in the price is $ 30 price / 1k

- The money is withdrawn from the account in accordance with the facts and running leaps ekze by car users

- In the balance on deposit $ 5 or less stopped loading

- No minimum, it is possible to load even though 3 pc 10k limit pointing in the problem

- The claims, made by ALREADY download will not be accepted, DICOM small parties or do the test to check quality

- Following the establishment of tasks it must be activated by clicking on the link in the status, the same method could be suspended

- Pole challenge "received" shows how many bots believed assignment, it is usually little more than a "loaded" on the fabric sur somehow prichnam some boats were not able to download and run your ekze dolzhili or not yet know

Undercover DDoS in between contextual advertising, or "giving up on DDoS" entirely? Let's wait and see, without being naive enough to forget that this among the hundreds of other DDoS for hire services currently available in the wild.

The New Media Malware Gang - Part Four

Sometimes patterns are just meant to be, and so is the process of diving into the semantics of RBN's ex/current customers base, in this case the New Media Malware Gang. The latest pack of this group specific live exploit URLs :

bentham-mps.org/mansoor/cgi/index.php (205.234.186.26)
5fera.cn/adp/index.php (72.233.60.90)
ls-al.biz/1/index.php (78.109.22.245)
iwrx.com/images/index.php (74.53.174.34)
pizda.cc/in.htm (78.109.19.226)
ugl.vrlab.org/www/index.php (91.123.28.32)
eastcourier.com/reff/index.php (91.195.124.20)
thelobanoff.com/myshop/test/index.php (64.191.78.229)
203.117.170.40/~whyme/my/index.php
195.93.218.25/us/index.php
195.93.218.25/kam/index.php
85.255.116.206/ax5/index.php

Going through Part one, Part two, and Part three, clearly indicates an ongoing migration.

Monday, March 10, 2008

Wired.com and History.com Getting RBN-ed

Monitoring last week's IFRAME injection attack at high page rank-ed sites, reveals a simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time successfully injecting a multitude of new domains into Wired Magazine, and History.com's search engines, which are again caching anything submitted, particularly not validated input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model. So, after "CNET stops IFRAME site attacks - who's next?" in terms of high-profile sites, that is Wired.com and History.com


Key summary points :

- the same malicious parties behind the CNET and TorrentReactor's IFRAME injection are also the ones behind Wired.com and History.com's abuse of input validation

- the IFRAME injection entirely relies on the lack of input validation within their search engines, making executable code possible to submit and therefore automatically execute upon accessing the cached page with a popular search query

- many other domains have been introduced within the IFRAMEs, a complete list of which you can find in this post, several directly hosted within RBN's network

- the main domain serving the heavily obfuscated VBS malware is located within the Russian Business Network's known netblocks

- given the high page ranks of the current and the previous targets, it is evident that the malicious parties are prioritizing based on the possibility to abuse input validation on high page rank-ed sites, presumably in an automated fashion

- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these hosts, a clear indicating of the fact that they've breached them, they figured out a way to inject the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on popular key words, or any kind of key words that they want to

Sites currently affected next to Wired.com and History.com :

fhp.osd.mil
hcc.cc.gatech.edu
buffalo.edu
uninews.unimelb.edu.au
uvm.edu
jurist.law.pitt.edu
bushtorrent.com
torrentportal.com


Newly introduced domains within the IFRAMEs :
f3w.info (74.54.95.242)
chdjzn.info (75.125.181.78)
gmjett.info (75.125.181.89)
yscmps.info (75.125.181.124)
egkjnx.info (75.125.208.242)
qkecep.info (75.125.181.99)
qxdprq.info (75.125.181.113)
yscmps.info (75.125.181.124)
mqghrd.info (75.125.181.82)
yydcaj.info (75.125.181.122)
ecwrhk.info (75.125.181.86)
zdksgj.info (75.125.181.112)
stysqf.info (75.125.181.67)
egyffr.info (75.125.181.112)
prnprn.info (75.125.181.106)
fast-look.com (195.225.176.25)
fami4ka.net (217.20.127.217)
looseais.info (70.47.105.5)
my-ringtones.org (78.108.182.164)
eyzempills.com (81.222.139.184)
leohin.com (58.65.239.10)
is-t-h-e.com (69.50.167.165)
89.149.220.85

Where are the IFRAMEs relocating the visitor to?
search-vip.org/pharmacy/search.php?q= (195.225.178.19)
pharma-cist.com/item.php?id=156 (81.222.139.93)
vip-pharmacy.org (195.225.178.19)
adultfriendfinder.com/go/g665961
gift-vip.net/images/index1.php

Where's the malware?
The malware is loading from gift-vip.net/images/index1.php (195.225.178.19) where upon loading another IFRAME pointing to e.pepato.org/e/ads.php?b=3029 (58.65.238.59) which is using HostFresh proving hosting, dns services courtesy of INTERCAGE-NETWORK-GROUP, or the The Russian Business Network in all of its netblock diversity. It seems that pepato.org, currently hosted on one of RBN's netblocks, also made an appearance at malware embedded attack at a .gov site recently.

Scanner results : 3% Scanner(1/36) found malware!
File Size : 16643 byte
MD5 : 99eae1a189443c1a87681579cb4b5dbd
SHA1 : 89a04c4d06f51aa6d6cb54925a2c84d2bbdba06b
Arcavir - Trojan.HTML.JScript.Freebs.gen.9 under the JS:Feebs family; W32/Feebs-Fam ;JS.Feebs.Gen

Several more currently active internal pages serving variants :
e.pepato.org/e/ads.php?b=3029
e.pepato.org/e/ads_nl.php?b=1006
e.pepato.org/e/ads.php?b=1004
e.pepato.org/e/adsr.php?t=0
e.pepato.org/e/mdqt.php
e.pepato.org/e/e1004.html

Monitoring these connected incidents will continue, particularly the RBN connection, and other high profile sites' susceptibility to their attack methods.

Related embedded malware research :
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Yet Another Massive Embedded Malware Attack
MDAC ActiveX Code Execution Exploit Still in the Wild
Malware Serving Exploits Embedded Sites as Usual
Massive RealPlayer Exploit Embedded Attack
Syrian Embassy in London Serving Malware
Bank of India Serving Malware
U.S Consulate St. Petersburg Serving Malware
The Dutch Embassy in Moscow Serving Malware
U.K's FETA Serving Malware
Anti-Malware Vendor's Site Serving Malware
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
A Portfolio of Malware Embedded Magazines
Another Massive Embedded Malware Attack
I See Alive IFRAMEs Everywhere
I See Alive IFRAMEs Everywhere - Part Two

Related RBN research :
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Friday, March 07, 2008

Injecting IFRAMEs by Abusing Input Validation

More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution :

"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. Attackers appear to have abused the ZDNet search engine's cache by exploiting a script-injection issue, which is then being cached in Google. Clicking the affected link in Google will cause the browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. On March 6, 2008, the research that discovered the initial attack published an update stating that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected by a similar issue."

At 19:45 (EET) all of the sites have their input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good.

How was the IFRAME injection possible at the first place? OWASP lists input validation as one of the top 10 injection flaws for 2007, which in a combination with a site's SEO practice of caching pages with the injected input in the form of a keyword and the IFRAME, is what we've been seeing during the week :

"Input validation refers to the process of validating all the input to an application before using it. Input validation is absolutely critical to application security, and most application risks involve tainted input at some level. Many applications do not plan input validation, and leave it up to the individual developers. This is a recipe for disaster, as different developers will certainly all choose a different approach, and many will simply leave it out in the pursuit of more interesting development."

And since I've already established the RBN connection, it would be perhaps the perfect moment to demonstrate the abuse of input validation by injecting the Russian Business Network's Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected at the first place. The bottom line - even with the input validation flaw accepting and loading the IFRAME, this attack wouldn't have been successful if it wasn't executed in a combination with the sites' keywords caching function.