Another major site compromise

Overnight SophosLabs became aware of another fairly major Italian website that has been compromised. Alarm bells rang upon the homepage of the site being blocked by Sophos as Mal/ObfJS-A. After confirming the page has indeed been compromised and is actively serving up malware, we began the process of contacting the relevant people to get the site cleaned up to minimise number of potential victims.

The compromise consisted of appending a malicious script to the bottom of the page, in order to silently load more malicious content when a user browses that page. The additional content loaded is also detected by Sophos products (JS/DlrShl-A).


Browsing statistics for the site in question reveal that the website has an average of almost half a million unique visitors each week. A lot of potential victims. As the site is cleaned, and we glean more information about how the attack happened, and its purpose, I will post an update. So, watch this space!