Embassy of Portugal in India Serving Malware

DANCHO DANCHEV's Blog ^ | WEDNESDAY, MARCH 25, 2009 | Dancho Danchev

[Cindy]

Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to its visitors. As of last Friday, the official web site of the Embassy of Portugal in India has been compromised (embportindia.co.in). Who's behind the attack? Interestingly, that's the very same group that compromised the Azerbaijanian Embassies in Pakistan and Hungary earlier this month. Assessing this campaign once again establishes a direct connection with the Rusian Business Network's pre-shutdown netblocks and static locations.

[Cindy]

Previously...

http://ddanchev.blogspot.com/2009/03/azerbaijanian-embassies-in-pakistan-and.html

WEDNESDAY, MARCH 11, 2009
“Azerbaijanian Embassies in Pakistan and Hungary Serving Malware”

SNIPPET: “Both embassies are embedded with identical domains, parked at the same IP and redirecting to the same client-side exploits serving URL operated by Russian cybercriminals.”

[Cindy]

Previously...

http://ddanchev.blogspot.com/2009/03/ethiopian-embassy-in-washington-dc.html

“Ethiopian Embassy in Washington D.C. Serving Malware”
by Dancho Danchev
(March 18, 2009)

SNIPPET: “Oops, they keep doing it again and again. The web site of the Ethiopian Embassy in Washington D.C (ethiopianembassy.org) has been compromised and is currently iFrame-ed to point to a live exploits serving URL on behalf of Russian cybercriminals, naturally in a multitasking mode since the iFrame used to act as a redirector in several other malware campaigns.

Despite that the iFrame domain (1tvv .com/index.php) is already “taken care of”, details on the original campaign can still be provided.”