The Nigerian Economic and Financial Crime Commission (NEFCC) is a law enforcement agency that investigates terrorism, cybercrime, scams and financial frauds within their region. This is their website:

Recently, we’ve received a report that this legitimate website has been compromised. We decided to verify this report and check the site out for ourselves. Sure enough, when we viewed the HTML source for the NEFCCs website, something suspicious came up:

This is an IFRAME tag that loads another HTML document into the existing one that is currently loaded in the browser. In this case, the IFRAME tag makes a reference to an obfuscated URL that is separate from the NEFCC’s domain. It redirects it to a couple of URLs that display a fake error page but actually contain malicious Javascript routines. These malicious Javascript code are detected by Trend as JS_PSYME.AOO and JS_PSYME.ANT. Both script malware attempt to download malicious executable files that are detected as TROJ_WOPLA.DS, TROJ_NIDIS.OF, and TROJ_NURECH.BE.

This is a classic case of a script-based Trojan downloader that is triggered by simply viewing a webpage. However, in this case, the webpage doesn’t offer fake codec downloads or free stuff but rather is a legitimate one, only compromised by a malicious IFRAME tag inserted in its HTML source. It is quite ironic that an organization dedicated to fight cybercrime has been targeted by malware perpetrators. This just shows that even those directly involved in security can become targets as well.