I was wrong in my earlier assessment that the three treasury websites had been cleaned… the attack site was simply tracking ip addresses, and would not serve the iframe on subsequent visits.I really should have noticed that earlier, and have no excuse except that it was very early. And pre-caffeine.
Folks should stay away from the sites mentioned until they’re cleaned.