Hidden iframes still popular blackhat SEO technique to drive "unique visitors"
This particular case, as other similar attacks, is likely to be a part of paid "iframe-traffic shop" blackhat SEO services. Customer buys visitors to his website to improve search engine ranking. The .php file linked in the iframe appears doing nothing and contained "OK" string only (at the time this article was written). The name clk.php is obviously a click-counter method to build the reports and present the "customers". Decoded payload injects the hidden iframe once in 24 hours period to generate "unique visitors" traffic.
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Submission date: Mon Apr 29 06:44:07 2013
Website malware scanner report
|Quttera | Online Website Malware Scanner|
Here the cookies are used to inject the iframe once in 24 hours period.