It seems several pages on the Honda Thailand website are outfitted with a malicious iframe that loads exploit code intended to install a keylogger/data theft Trojan. ScanSafe STAT discovered the compromise while investigating a series of zero-day blocks on the site. 

The malicious script referenced by the iframe attempts to exploit the Microsoft XMLHTTP ActiveX Control Code Execution Vulnerability described in MS06-071, as well as the RDS Data Control vulnerability described in MS06-014). The following CLSIDs are targeted:

BD96C556-65A3-11D0-983A-00C04FC29E36 (RDS Data Control)
AB9BCEDD-EC7E-47E1-9322-D4A210617116 (Business Object Factory)
0006F033-0000-0000-C000-000000000046 (Outlook Data Object)
0006F03A-0000-0000-C000-000000000046 (Outlook.Application)
6e32070a-766d-4ee6-879c-dc1fa91d2fc3 (Microsoft Update Web Control)
6414512B-B978-451D-A0D8-FCFDF33E833C (Software Distribution Web Control)
7F5B7F63-F06F-4331-8A26-339E03C0AE3D (WMI Object Broker)
06723E09-F4C2-43c8-8358-09FCD1DB0766 (VsmIDE.DTE)
639F725F-1B2D-4831-A9FD-874847682010 (DExplore.AppObj)
BA018599-1DB3-44f9-83B4-461454C84BF8 (Microsoft Visual Studio DTE)
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 (Microsoft.DbgClr DTE Object)
E8CCCDDF-CA28-496b-B050-6C07C962476B (VsaIDE.DTE)

As with several other known malware hosts, the IP for the site hosting the malicious script resolves to HopOne Internet, a US-based co-location provider. HopOne doesn't host sites directly, they do that through their resellers. Those resellers likely sell to other hosting resellers, and so on. These multi-tiered affiliate relationships can short change users, since the time it takes to play "who's the real host" extends the time the malware site is live. And, of course, that's exactly what the attackers want.

Some of the pages that have been compromised were completely replaced by the malicious iframe. For example, a page that should point to a specific automobile model will instead appear (on the surface) to be blank. Other pages have the malicious iframe embedded in the normal page source.

This is the second (known) compromise of the Honda Thailand website in recent months. In October 2007, the Honda Thailand website was defaced by a Turkish hacker who uses the moniker PowerDream.