Warning: do not try the URLs here unless your system is locked down properly. I suggest using a "virual machine" (I use VMware) to test things like this. The hack itself is complicated, the system is simple - skip the complicated part if you're in a hurry.

It all started with a posting like this:

When I do a google search for [hide]Jonathan Wentworth Associates[/hide] the first result is:

[hide]Jonathan Wentworth Associates, LTD[/hide]
[hide]Welcome to Jonathan Wentworth Associates, a respected resource for world-class orchestral soloists,
conductors, opera, chamber music, chamber orchestras, ...[/hide]
[hide]www.jwentworth.com/[/hide] - 19k - Cached - Similar pages - Note this

The: [hide]Jonathan Wentworth Associates, LTD[/hide] is highlighted and is a link to the web site. If you place the mouse over the link, it shows [hide]http://www.jwentworth.com[/hide]. However, if you click the link it immeately attempts to download the trojan. My McAfee immediatly blocked it.

Looking at the page in question, it doesn't appear to be hacked, it doesn't appear to have any kind of scripts injected, etc. However, using LiveHTTPHeaders with Firefox, while doing the same steps (search, click on the top result) you see the following:
Continue reading ‘The website hack you’d never find’ »