Earlier on today I noticed that the web site for one of the embassies in Paris has been hit by malware. This continues the ?YAE? (yet another embassy) series we introduced in previous blogs [1,2,3].
This current attack provides a classic example of some of the techniques that the rogue AV criminals are using.
1. SEO techniques. The attackers appear to have exploited a content management system (CMS) being used on the embassy site, in order to upload numerous keyword-stuffed pages (typically called ?doorway? or SEO pages). Users searching for popular terms may end up clicking through to one of these pages, starting the infection process.
3. Fake AV payload. The redirection script checks the referrer before redirecting the user to the appropriate payload.
Digging deeper on the embassy site it is not surprising they have been hit. The version of the CuteNews CMS application they are using is out of date (v1.4.6 appears to the latest version).