Then, with a portfolio of infected sites they turn around and sell access to their network. At the time of Jackson’s research, the going rate was one dollar per infection. No one knows how many infected sites 76service paid for. Font.com was one site that accounted for many Gozi infections, likely chosen because of its broadness and the likelihood that unsavvy users would type in that URL if they were looking for fonts. Alchemylab.com was another, according to Jackson. (Both have been cleaned up since).

Jackson and the anonymous researcher believe 76service may have paid a premium for an enhanced service—exclusive access to and management of the iFramed pages. That allowed 76 and Exoric to easily move their site around (as the good guys had forced them to) without having to constantly ask the iFramers to reconfigure the iFrames to point to new IP addresses where downloaders and malware had been moved to. It’s something like if you owned a convenience store and you moved it every so often, and you could pay for the right to set up your own detours to redirect traffic to your store’s new location.

Someone looking to deposit malware like Gozi on machines has few better options than iFrames, because of their ability to intervene without the user’s help. In a short amount of time, iFrames have become the malware distribution method of choice. Graham Clueley of the anti-virus vendor Sophos says his company’s research shows 8,000 new webpages per day, a quarter-million pages per month, hosting illicit code or activity, most of which he says, are iFrame exploits. Of those, Clueley says, 70 percent are found on legitimate websites.

iFrames have other advantages, too. Separating the distribution network from the malware, making it a service in itself, speeds up redeployment, because once a site hosts an iFrame, it remains available for distribution of any variant or new piece of malware.