While analyzing the URLs of malicious redirectors our product had detected, a Flash object hosted on .gov.br domain caught my eye. Since my Portuguese is a little rusty, I turned to a colleague in our office in Brazil, and she confirmed that the domain belongs to the city of Franca in São Paulo, Brazil.
The request highlighted in yellow loads the malicious Flash object which injects an iframe that redirects the browser to another domain (blurred in the screenshot).
It seems that the website was compromised by exploiting the outdated version 1.5 of open-source content management system Joomla. Most likely this is not the only .gov.br website running the unpatched version: Senior Security Researcher Fabio Assolini pointed out in his tweet that incidents on .gov.br domain are very common.
We have contacted the Computer Security and Incident Response Team - CTIR Gov about the incident.
F-Secure detects the malicious Flash object (SHA1:b0c68dbd6f173abf6c141b45dc8c01d42f492a20) as Trojan:SWF/Redirector.EQ. In addition, our Browsing Protection component blocks access to the compromised URLs until the website has been cleaned.