Inline frames (iFrames) are an easy way to embed content from another site onto your own. This element allows you to insert another document inside an HTML page and can be really useful for embedding interactive applications like Google maps, advertisements and ecommerce applications.
iFrame elements are also popular with website attackers because it allows them to easily load malicious content from their own servers.
Attackers often use this feature to insert malicious content into compromised sites for the purpose of spam redirection, phishing, and distributing malware. We’ve investigated and documented a couple of interesting scenarios including popular social media sites like Tumblr and Facebook.
Affiliate Cookie Stuffing
Many ecommerce websites offer affiliate programs that allow online marketers to generate revenue. These affiliates are provided with an affiliate ID that stores a cookie within a user’s browser for a specified duration. If the user makes a purchase before the cookie has expired, the affiliate is awarded commission for that sale.
Earlier this year, we discovered that attackers were injecting their own cookies within iFrames on hacked sites to receive more affiliate commissions.
What made this attack unique was that it didn’t technically serve any malicious content. If a user engaged with the page containing the iFrame on the compromised website, it simply transferred an Amazon affiliate cookie to the user’s browser.
Invisible iFrames & Amazon Cookies
Here’s an example of an Amazon affiliate URL hidden within an iFrame:
<iframe src="http://amzn.to/REDACTED" style="visibility: hidden;"></iframe>
When users visit a webpage with a hidden iFrame like this one, their browser loads all of the content regardless of whether the user can see it or not. This includes all images, scripts, styles and of course affiliate cookies, which are then stored within the browser.
Some attackers will inject up to 20 different hidden affiliate iFrames on a single page to maximize opportunity. These invisible iFrames are known to make page load times slower and can result in a negative user experience, but are otherwise harmless to users.
If the user happens to purchase an item on Amazon before the injected iFrame’s cookie expires, the attackers will receive a commission for the purchase.
With over 300 million Amazon users, it’s clear that the attackers took advantage of Amazon’s large user base to increase the likelihood that a purchase would be made after distributing their cookies.
By compromising more websites and distributing their injected affiliate iFrames, exposure is maximized, as is the number of commissions generated for these black hat marketers, making it clear that unprotected websites are a valuable resource for bad actors.
Compromised websites provide an environment for attackers to inject invisible iFrames with affiliate cookies and generate revenues. Cookie stuffing violates the terms of most large affiliate programs, though this rarely deters attackers if they stand to make easy commissions.
To mitigate the risk of serving unwanted affiliate cookies or decreased site performance, website owners can keep a close eye on modifications to their website files by using an integrity monitoring service. This service will make it easy to spot any suspicious activity or compromises.