In the security industry, Italy is probably best remembered for three things: the gay porn worm that hit the Italian senate in 2004, the Gromozon/LINKOPTIM event (2006), and more recently, the Italian Job (2007). Not surprisingly, other attacks followed (see this, this), and for the past couple of days, TrendLabs researchers were again alerted of a couple of malicious activities that seem to be trying to make their own marks — however bad — on the said country.

The first attack is a slew of email messages purporting to be coming from “CAFF” (Comando Antifrode — which, by the way, is a non-existent organization), asking the recipients to go to a very legitimate-looking Web site because the said recipients are supposedly under investigation. Unbeknownst to these recipients, the Web site contains links that download a malware.

This incident comes on the heels of another incident TrendLabs has been monitoring because it appears to be taking a page from the Italian Job. Research Engineer Juan Pablo Castro came across several Italian Web sites that were hacked and inserted with a folder named portal_memberdata/portraits/{random string} in order to redirect users to adult site or fake pharmaceutical sites, among others.

Upon further investigation, it was found that all the compromised sites were created using Plone, an open-source content management platform. Juan Pablo believes that the miscreants took advantage of a vulnerability in the said platform (there have been some discovered before, such as this one, according to AusCERT) to perform the abovementioned redirection routine.

Trend Micro already blocks malicious URLs and detects malicious files related to these recent attacks.