Iframe directs to Fiesta exploit kit landing page

Feb 27, 2015 00:31 GMT  ·  By

Cybercriminals have found a way to distribute their malicious payloads and hide their traces by planting rogue code into the web page displayed when accounts are suspended.

Security researchers discovered that crooks turned to this trick to lead the visitors to falsely believe that the website they reached was no longer active, making it more difficult to determine how their computer was compromised.

Website appears dormant but it is highly active

Jerome Segura of Malwarebytes found the mischievous tactic on websites managed through cPanel, one of the most used web hosting administration panels.

The hint that the “Account Suspended” page actually transmitted more than the message of inactivity consisted in the fact that it was not available at the root of the domain, as it normally should.

Segura found evidence that a legitimate website had been compromised and a fake “Account Suspended” page included a malicious iframe leading to the landing page of Fiesta exploit kit.

Exploit kit checks for vulnerable Flash, Silverlight, PDF and Java

Both the URL pointing to the attack tool and the size parameters of the iframe are changed on a constant basis as a tactic to avoid basic blacklisting and detection from various security tools that rely on signatures to catch the nasty elements.

When a user accesses the malicious page, a verification is made, to determine the web browser and if it includes vulnerable plug-in versions. The analysis showed that obfuscation was used to hinder identification of the malicious code.

Segura noted on Thursday that the landing page for Fiesta calls multiple exploits, for Flash Player (CVE-2015-0311), Silverlight (CVE-2013-0074), PDF (CVE-2010-0188) and Java (CVE-2013-2465); only one of them is to be leveraged against the outdated computer.

“This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as ‘already terminated by the hosting provider’, when in fact it’s not,” the researcher concludes.

The general recommendation is to apply all the latest software patches issued by developers, all the more in the case of browser plug-ins.

Photo Gallery (2 Images)

Page code is scrambled to hinder analysis
Malicious iframe directing to Fiesta landing page
Open gallery