As recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.
Recently SophosLabs has seen a flurry of detections of Troj/Iframe-JG on legitimate websites, including:
- Primary School websites in England
- Small community websites in Italy
- A nightclub website in London
- The website of an East African nation's TV company
- The website of trade association of Financial Advisors in the US
One affected website that I tried to contact was that belonging to the headphone manufacturers Fanny Wang.
Unfortunately the company never responded to messages I posted via their site, and the listed Whois contact email address gave me an error.
Here is a sneak peek into what the SophosLabs web-malware analysis systems see when we examine the Fanny Wang website.
The expert web-malware analysis systems inside SophosLabs don't just scan content with public-facing detection routines (Troj/Iframe-JG), but also technology purely for the use of our researchers. This explains the Guru/Iframe-I detection, which you won't ever see outside of our labs.
The actual malicious code should be easily spotted (and cleaned) by the web developer as the fake Twitter iFrame has been inserted at the start of some legitimate JQuery code.
SophosLabs has yet to hear back from the other organisations that we have informed about this attack, so it is not yet clear how the code injection was perpetrated.
The fact that the jQuery version being used in the above example is version 1.2.6 dates from 2008, and that the current release is version 2.0.0 suggests that the site may have not been patched or updated for quite some time.
Clearly it's essential for websites to be properly defended, or they will continue to fall victim to attacks such as this.
One of the key things that anyone - whether as an individual or working on behalf of a company - needs to consider when setting up a website, is how to choose a good hosting provider from the security point-of-view.
Update: Although Fanny Wang appears to have cleaned up parts of its website, its pages continue to carry active malicious code. If you're going to pay the site a visit, it's probably worth ensuring you have some sort of real-time web protection running on your PC or in your browser.Follow @SophosLabs
Website script image from Shutterstock.