Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY.

It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site:

Unfortunately, the old site also contains a malicious script, appended after the closing /HTML tag.

There are several ways of migrating users to a new website:

  • Deleting the old and let a search engine take the strain
  • Doing Server side redirects
  • Asking the ISP to point the old website to the new sites IP address.
  • and relying on client side redirects.

There are benefits and costs for all the above methods, however, from a security point of view having an old abandoned (not updated and secured) website is the worst.