I came across a rather strange referral to hpHosts earlier - strange because it was coming from defense.foreignpolicyblogs.com, a site that has absolutely no reason to refer to the hpHosts website.
I loaded the site up, and did a search for the word "hphosts", and sure enough, it was highlighted. If we look at the source code for the site, and so far, it only appears to be the defense. that is affected by this, we see alot of extra code and links, all pointing to giojewelry.com;
giojewelry.com resolves to 18.104.22.168, which is on the Beltelecom network (AS6697), and is also the same IP that firemicrosoft.net (amongst others) is hosted at.
Given that defense.foreignpolicyblogs.com is still using a very old version of WordPress with known vulnerabilities (according to the source code, they're still using 2.7.1), I think it's pretty safe to say how they were able to get in, when of course this happened, is a different matter (I've not been able to find anything on the many hacker/skiddie forums referencing the site). I'm trying to get in touch with them to get them both cleaned up, and upgraded, I'll report back if I'm successful (and get the ISC involved if I'm not).
As for giojewelry.com, nothing new there I'm afraid, it's your typical OEM software scam site.