At the end of last week, SophosLabs received a report from a customer saying that when they visited a certain site they received virus reports for Mal/ObfJS-A, Exp/Animoo-A and Mal/JSShell-B. The site in question is a household name which made the customer initially query the virus detections believing that such a global brand could not be infected. When I visited the site I found that the site did indeed link to malicious files.
So what had happened? Was the global brand’s website compromised? Or was something more sinister happening?
The global brand’s site loaded some content from a third party marketing company. However, the marketing company’s site had been compromised so that it now linked to malicious content on a remote server (we are aware of several thousand other sites similarly compromised). The net effect of this for users browsing the global brand’s site is that they are exposed to the malware.
Who is to blame?
The hacker and then the marketing company. The global brand, in this case, was an innocent party. However, from a customer perspective the big company appears guilty – when their site was browsed, the machine was hit with malware.
Remember, adding third party content can be a risky business. You have to make sure that their security policies match yours, otherwise you lose your reputation.