Proof That Iframes Are Not Risk Free

This one loaded drive-by-malware, a popular tactic.

Malicious iFrame on US Treasury and other sites?

https://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx