Embassy of India in Spain found serving remote malware through iFrame attack

Hacking an embassy’s website to use it as malware distribution point is not something new, neither is the use of the iframe injection attack, but it’s still surprising the number of infected sites out there.

Earlier this morning I was alerted to this problem by a colleague who was trying to access www (dot) embajadaindia (dot) com to sort out some paperwork related to my employer’s offices in India. When tried to load the site, the Desktop Antivirus displayed the following pop-up alert:

Sophos Alert - www (dot) embajadaindia (dot) com

The alert description is fairly self-explanatory, though a quick look at the source code erases all doubt:

Infected php source code - India embassy in Spain

Everything indicates that the site was compromised and those invisible iframe tags appended to the index.php (and possibly other files too) to load multiple pieces of malware from the following domains:

  • msn-analytics.net
  • pinoc.org
  • wsxhost.net

Obviously, do not visit any of these sites as, at the very least, it is known that they have facilitated the distribution of malicious software in the past. In fact, Google’s Safe Browsing Diagnostic page reports that one of those has hosted malicious sofware that has infected at least 33 domains in the last 90 days, as shown below.

Google Safe Browsing Diagnostic

Although the attack vector is still unknown, it’s likely to be due to either weak directory and file permissions or to a vulnerability in any of their PHP scripts. Actually, similar effects were reported to the Joomla! discussion forum back in September last year, so I guess we must be dealing with the same kind of attack.

I’ve personally reported this security issue to the Embassy of India in Spain, and it’s expected they will be taking some action to remove the iframe tags sooner rather than later. In the meantime, please DO NOT VISIT THE SITE.


Published by

Ismael Valenzuela

Global Director, Foundstone Consulting Services at Intel Security, GSE #132 & SANS Instructor for Digital Forensics & Cyberdefense tracks