Last night, Roger’s Information Security Blog detailing the hacking of the legendary singer Van Morrison’s website.
From the description of the hack I would have expected Sophos to have been detecting the site as Mal/Iframe-F. Naturally, I visited the site, in a secure manner, to see what I could see. Unfortunately, I didn’t see an Iframe as described.
What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site (blacklisted for Sophos customers since Oct 7th). The WHOIS record that remote site strangely says:
Address : 56/2 Sun str.
City : Dallas
Province/State : beijing
This morning I wrote detection for the obfuscated script, as Troj/Iframe-DD.
After further digging on our systems we have seen multiple infections on this site:
How long has the site been infected? and how many infections will it have before the sites security is updated?