The website of celebrity chef Jamie Oliver—which receives 10 million visits per month on average—is infecting visitors with malware through the Fiesta Exploit Kit, which leverages the recently patched Adobe Flash zero-day vulnerability.
First seen by security researchers at Malwarebytes Labs, the attack runs contrary to most web-borne exploits, as this one was not the result of a malicious ad (malvertising) but rather a careful and well hidden malicious injection in the site itself.
Jerome Segura, senior security researcher at Malwarebytes Labs, said in a blog that “drive-by downloads remain the top infection vector, thanks to malicious ads and a wide array of software vulnerabilities for cyber-criminals to choose from,” Segura said.
“There are also cases, such as this one, where a hack in the site itself is responsible for malicious redirections,” he said. “It can be hard for webmasters to identify the source and it requires a lot of forensic work to find the root cause of the problem.”
Typically, stolen login credentials or a vulnerable plugin can allow an attacker to gain access to a remote server and alter it. In any event, in this case, It all started with a compromised JavaScript hosted on jamieoliver.com.
Segura said that it could be a legitimate script that has been injected with additional content, or a rogue script altogether. So, the webmasters will need to look for additional evidence of infection, rather than simply restore or delete the offending script.
Malwarebytes said that it contacted the administrators of the site immediately upon discovery of the infection.
“At the end of the day,” he added, “people need to take security matters into their own hands and protect their assets with regular updates and proactive security software that does not rely on signatures. This is particularly important as the use of zero-days in exploit kits is more than likely going to be a continuing trend.”