The name Iframe Hacking has been derived from the manner in which the hacking is done using an iframe tag. Iframe is short for inline frame, and is essentially the name of an html tag -
<iframe> </iframe>. Iframe tags can be used to insert contents from another website within a web page as if they were part of the current page. While this may be useful for building user-friendly web applications and for cross-site scripting purposes, hackers misuse this feature to insert contents from their own malicious website.
In an IFrame attack, the hacker embeds a malicious iframe code snippet in your website page. When anyone visits that page, the hidden iframe code secretly downloads and installs a Trojan or a malware such as key-logger on the unsuspecting user's computer, if his computer is not adequately protected. Thus over a short period of time several of your site visitors' computers would get infected. Very soon your website will get known as a source of virus and may get blacklisted from the internet community. Even search engines will ban your website, causing severe damage to your reputation and business.
Below is an example of a hidden iframe code embed in a web page:
Gumblar attack is an example of this type of iframe hacking.
Some iframe hackers may not cause real damage to your website or site visitors but may simply embed an iframe code to display an Ad, taking advantage of your website traffic, or may simply direct your site visitors to his own site with the objective to increase his own site's traffic with an aim to improve his own site's search engine rank. Some SEO experts may adopt this unscrupulous technique to drive traffic to their own client's websites to build traffic for their clients.
Below is an example of a visible iframe code embed that may be used to display an Ad:
If your website is hacked it does not mean your hosting server is lacking on the security side. Most iframe hacking happens on websites whose owners are accessing their hosting account from an insecure computer. If your computer is infected with a key-logger malware, the moment you login to your website hosting account, the malware secretly passes your account login credentials to the hacker. The hacker then logs into your hosting account as a legitimate user and modifies your website html pages to embed the malicious iframe code.
Iframe code injection can also take place in a code driven website that may be using PHP/ASP for handling forms. If the handler codes are not securely designed it may allow for code injection via SQL injection. Read more about SQL injection.
FTP Account: If you use FTP, you are in danger of exposing your passwords to hackers because the passwords are passed between your FTP client and your website in plain text. Use a program like WinSCP, or an FTP client that allows you to connect to your site using secure SFTP or SCP. Both of these methods encrypt your user name and password, making it much more difficult for a hacker to discover them, even if they intercept them with some sort of packet sniffer.
Hosting Control Panel: Whenever you log into your hosting control panel always use a secure SSL port to login. Keep your passwords difficult to guess. Use a password generator to generate your passwords. Never use the same password to log into different sites or control panels. Change your passwords more frequently.
Infected Computer: If you personal computer system is infected with Virus/Trojan/Spyware then there is a chance that the hacker gained access to your login credentials when you logged into your website hosting account. It is advisable to install a good anti-virus software on your computer and keep it always updated.
XSS (Cross Site Scripting) vulnerability in your website: If your site has XSS vulnerability then there is a high risk for such type of hacking.
SQL Injection: If your site is not designed to prevent SQL injection then hacker can easily get to access your database and insert malicious code.
CEO, Computer Solutions
Rajeev Kumar is the primary author of How2Lab. He is a B.Tech. from IIT Kanpur with several years of experience in IT education and Software development. He has taught a wide spectrum of people including fresh young talents, students of XLRI, industry professionals, and govt. officials.
Rajeev has founded Computer Solutions & WebServicesWorldwide.com, and has hands-on experience of building variety of web applications and portals, that include - SAAS based ERP & e-commerce systems, independent B2B, B2C, Matrimonial & Job portals, and many more.