Security researcher Dancho Danchev cited numerous examples of high profile websites hit by attackers, believed to be part of the infamous Russian Business Network.
Wal-Mart, Target, USA Today, and several university websites displayed an awful truth in search results observed by Danchev. They and many others received unwanted search optimization via the injection of iframes through code added to search queries into their sites.
The attacks started two weeka ago, and have evolved into what Danchev wryly called “what looks like a large scale web application vulnerabilities audit of high profile sites.” He believes over a million search queries have been poisoned, due to insufficient security on the web applications affected by them.
When people do a site search on the affected domains, these infected sites redirect visitors via the iframes to bogus security software or variants of the notorious Zlob Trojan malware. Zlob grabs malware from other servers, and loads it onto a compromised PC.
Danchev noted in his post the IP addresses of the iframes being injected into these high profile sites resolve to locations in New York City, Berlin, and Panama. He noted Google is actively filtering search results leading to iframes on the affected servers, which makes it hard to determine going forward which sites may have been newly infected.
Blame poor input validation for the problem. The web applications being victimized are not sanitizing code being appended to search queries made on their sites, resulting in search results being poisoned. InfoWorld noted how these results sometimes get submitted by the sites back to Google, where other searchers will find the malicious pages.
