Wagamama site compromised, but noodles are still good
The Websense ThreatSeeker Network has detected that the website hxxp://goeast(dot)wagamama(dot)com, associated with Wagamama (a Japanese and sushi restaurant chain), has been compromised and injected with malicious code, also known as a RunForestRun attack.
Websense customers are protected from this threat with ACE, our Advanced Classification Engine.
Image 1: The site is injected with code which redirects to a .js file with obfuscated code.
Image 2: The /global.js java script file on goeast.wagamama.com includes injected code (marked with red).
When a visitor goes to the site, injected script deobfuscates into an iframe with a peudo-random URL, based on the date and time. The visitor is automatically redirected to a malicious site, which is currently down.
Image 3: The obfuscated script injected into the /global.js file looks like this.
Image 4: The injected code translates to an iframe that redirects to an exploit site without user interaction.
Image 5: The randomly generated URL from October 1, listed in http://pastebin.com/iZWFrDPC (lsvdxjpwykxxvryd(dot)ru // Mon Oct 01 2012 01:00:00. entry 195).
Fortunately, this type of attack was discovered some time ago, so the generated URLs are proactively blocked.