Attackers are increasingly using sophisticated filtering and dynamic content to avoid detection by search engines and web filtering firms. Many sites that Sophos found hosting attacks are using complex logic to limit who is served malicious content. The goal was to serve malicious attacks (either iFrame attacks or malicious Javascript) to uninfected hosts. The code analyzed by Howard included local IP blacklists that ensured search engine bots were only served clean HTML pages, while users who had already been hit didn t get reinfected.
Source: https://threatpost.com/hackers-targeting-iframe-attacks-p-sites-102011/75782/