Recently SophosLabs identified a malicious script on the website of a European ticket re-sale company, currently building up to selling tickets for the forthcoming Euro 2008 championships.
The site has been compromised in an attempt to create a classic drive-by download attack. Attempting to purchase tickets through the site will expose the user to a malicious script embedded in the pages (detected by Sophos as Mal/ObfJS-R). The script is intended to load further malicious content from a remote site. However, initial analysis suggests the script is somewhat buggy, perhaps broken whilst being obfuscated?
So, for now, users may not become infected when browsing the site (in some browsers at least). Just as well. The site is likely to attract high numbers of visitors as the championships get closer, and I have had no luck in trying to resolve the issue (contact via email and telephone has thus far been fruitless). Using search engines to find a suitable ticket vendor shows the site has quite a high ranking, including a presence amongst the sponsored links.
It is not the first time we have seen a sporting event involved in an attack – shortly before the 2007 Superbowl the web site of the Miami Dolphins was compromised in order to infect victims logging on in the days leading up to the event. The Superbowl attack was almost certainly targeted, timed just before the event. In contrast the Euro 2008 ticket site has most probably not been specifically targeted, but caught up in a larger, widespread attack.
As we have said many times before, gone are the days when being careful about where you browse is sufficient. The huge number of legitimate sites being compromised presents a risk to all of us, even those that are careful.