Today, a single visit to a single Web page can result in content being delivered from multiple domains across the globe. In most cases, this third-party content is delivered via standard HTML tags known as the iframe.
HTML (HyperText Markup Language) can be described as the building block of Web pages. HTML is a plaintext coding language that browsers digest in order to render the Web pages we see on our computers. HTML tags and their elements have pre-defined actions tied to them. The <iframe> tag is used to tell the browser to also load the Web page or document specified within that iframe. In other words, the iframe is used to merge information from another location with the current Web page being viewed.
Javascript is a standard - and ubiquitous - scripting language that enables interaction with other applications. While HTML tells the browser the basics of what should be included on the page and how it should look, Javascript adds the ability for the page to interact with other objects - for example, the ability to play a Flash movie inline with the Web page. To access these other objects, javascript source references are used – effectively, the <javascript src=”…> is equivalent in practice to the <iframe src=”…> tag.
Website developers use a combination of HTML and Javascript, along with a myriad of other scripting languages, to code the pages for their website that will, when opened in a browser, provide the Web surfer with the graphical and interactive view of that website's content. The backend to many (if not most) of these websites is the database.
The database can function as a repository for information collected from the Web surfer, or it can function as a repository for the information to be provided to the Web surfer. A content management system (CMS) can dynamically build a Web page based on the information contained within the database. To interact with the database requires yet another scripting language. One of the most common is Structured Query Language, or SQL.
The most common SQL injection attack sends a malformed query to the SQL database via some input mechanism (i.e. a search or other input field, or directly as part of the URL). If not properly sanitized, the malformed query can be improperly acted upon by the database as if it were a command rather than a request for information. And because Web page content can be based upon the information contained in the database, this can result in tainted content being embedded on the compromised site.
Without the automated tools provided in the underground economy, attacking any website would be a manual, time-consuming process and would require a certain level of skill and expertise. Criminals, more than any other business, are constantly mindful of their return on investment - seeking out ways to make illicit money with a minimal expenditure of time and talent. It was this constraint that had kept mass website compromises at bay for over a decade. But with those constraints removed, the criminals were quick to move in and the Web was soon to become increasingly hostile.
By the early part of 2008, waves of SQL injection attacks had felled hundreds of thousands of websites, impacting millions of Web pages and infecting an untold number of Web surfers in the process. And things were about to get a whole lot worse.
In Spring 2008, Web attackers merged with botnet operators - in effect, the criminals embraced 'the cloud' and began delivering malware-as-a-service through these powerful distributed networks of infected computers. The effects were real and immediate.
Stolen FTP credentials are also a common method of website compromise. Typically, the victim's login credentials are stolen through either phishing or (more commonly) via a password stealing trojan. Once the FTP username and password has been stolen, the attacker can login directly to the website. Increasingly, Web attackers are then planting PHP backdoors or other shellcode on the compromised website, allowing the attacker continued access even if the FTP username/password is changed.