The sites, says Commtouch, are then being used as destination URLs for spammed emails that entice users to `click through' for various reasons.
One of the emails that has been appearing with some frequency over the last three weeks, says the IT security researcher, advises recipients that a booking on Delta airlines has been rejected, and asks them to click on the email for further information.
And, of course, Infosecurity notes, with the Christmas season approaching, there's a fair chance that many recipients will have booked a trip on Delta and will click on the link supplied.
"The social engineering of an attack such as this is very effective - particularly since the email looks very authentic", says Turiel in his advisory security posting, adding that, if you are planning a trip then the email will look wrong and you might click so that you can correct the errors.
And if you hadn't ordered any tickets, he notes, you might click so that you could sort out the misunderstanding and prevent any incorrect charges
Turiel reports that the email uses a URL redirection to a malicious site that takes advantage of the Adobe Flash Exploit (CVE-2011-0611) and Java Plugin LaunchJNLP DocBase Exploit (CVE-2010-3552) to download and execute a binary file from an infected site.
What's interesting about the exploit, Infosecurity notes, is that the Javascript on the destination page is built `on the fly' from the data included on the same page.
Commtouch says that the malware seen on the download is detected as W32/Cridex.A, which focuses on stealing sensitive financial credentials.
Alongside the Delta spammed emails, Turiel says his team has also detected a similar scammed email ostensibly from American Airlines and which has a zipped attachment containing an airline ticket - AA_Ticket.exe.
"The extracted file displays an MS-Word document icon, he says, adding this malware is detected as W32/Trojan3.DAB, which focuses on downloading additional malware to a compromised system and is similar to the Bredolab trojan.
Keeping your ant virus definitions up to date, says the Commtouch researcher, as well as updating the Adobe flash player and Java plugin to their latest versions will help protect users against this threat.
Commtouch and Stopbadware are conducting a survey of web site owners who have had - or are currently having - their sites hacked and misused.
The survey, says Turiel, seeks to answer questions such as:
How did the compromise happen?
What did the cybercriminals do with your stolen site?
How were you made aware of the hack?
What did you do to fix the problem?
The two companies plan to reveal details of their findings later in the year.