Chinese Security Site Under New Kind of Attack

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

Strange Choice of Target, eh?

[darthflo]

Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

Re:FTFA...

[MichaelSmith]

A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

The CISRT should know better than to use http without SSL.

Chinaons.com

[mattr]

I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.

I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.