The AVG Web Threats research group has detected an obfuscated redirect on a page belonging to a vendor listed by the US Transportation Security Administration (TSA) web site.
Visitors following the link on a TSA page were also served exploits via a Blackhole exploit kit. AVG personnel alerted TSA and the vendor to the problem and the link has been removed.
The TSA page at http://www.tsa.gov/travelers/airtravel/assistant/locks.shtm contained an image-link to “Travel Sentry” service at http://www.travelsentry.org/.
The company appears to be Swiss judging by the whois contact information for its site.
Earlier in the day the injected script was different, though still detected by AVG, and led to http://walksquestionmark.in/404notfound.
Both of these exploit sites served up a packed script that redirected to a second packed script: an MDAC exploit which attempts to download and run an executable from the same server.
Obfuscated Blackhole script
AVG Web Threats Research Team
Leave a reply