iframe injection attack infects moneycontrol.com

Renowned financial portal moneycontrol.com was compromised with an iframe injection, claims Websense. We conduct a post mortem.

On November 6, 2010, popular financial portal moneycontrol.com was infected with an iframe injection attack, which is very common among Indian websites, claims an alert by Websense. Moneycontrol.com is an official website of Web 18 Software Services Limited, under the Network 18 group. The site has a traffic rank of 36 among users in India, where approximately 93% of its audience is located. It mainly provides news and analysis on the stock market, commodities, personal finance, as well as insurance, with thousands using its portfolio management features. Although the vulnerability was cleaned up by the site on November 7, moneycontrol.com spokespersons declined to comment on the attack.

According to Websense’s analysis, moneycontrol.com was compromised for a short period of time, so the administrators did discover the infection. “They (admins) need to work on accomplishing post-analysis of the incident. This has to be accompanied with a full forensic report to see how the site got compromised in the first place. From there on, the weaknesses found need to be abolished with strong security policies. Those steps will significantly lower the chances of the site to be compromised again,” says Elad Sharf, a Senior Researcher at Websense.

Shomiron Das Gupta, the founder of NetMonastery, a group specializing in real-time attack detection, informs that an iframe injection is a massive issue among Indian websites and the primary reason for this is lack of secure coding practices followed by the developers. “An iframe injection can be exploited to steal passwords and other sensitive information from a user computer. A hacker could get access to the user’s portfolio, which might get misused.”

Vijay Sarthy, the head of technology solutions at Network Intelligence India Pvt. Ltd. believes that in this case, the hacker most probably would have exploited vulnerability in the web page application. An iframe injection attack could also result from input validation issues or web servers not being patched properly. Sarthy claims iframe injection attacks can be easily detected and fixed with online tools. “A Web application firewall can greatly help reduce the risk of an iframe injection attack,” says Sarthy. On the dangers posed by such malicious codes, Sarthy replies that it all depends on how lethal the malware is, which is getting installed on the system. “For instance, a command like log all key stokes could be used to steal passwords,” he adds.

According to general consensus, the most simple and effective way of avoiding an iframe injection attack is to incorporate secure coding practices. It’s also critical to periodically check Web applications for such vulnerabilities. 

Read more on Web application security