ScanSafe first noticed its customers receiving the Javascript when visiting the site at 12:30 GMT on Saturday. Attackers had embedded a malicious IFRAME into the site, along with malicious Javascript that used a unique multi-layer obfuscation attack, said ScanSafe's director of product management Spencer Parker.
"There is no other web site, of the billion or so we've visited as part of our service, that's ever done something like this before," Parker said. The Javascript used different character encoding to cloak itself, and also send an SSL certificate to the browser to encrypt its payload.
The IFRAME and Javascript directed the victims' machine to a single IP address (84.244.138.55) based in Amsterdam, which has now been shut down. Reverse IP lookups reveal no information about the site, but it showed up on a malicious IP list.
The IP address hosted the LuckySploit toolkit, which looks for multiple vulnerabilities on target machines, including the recently-patched Adobe PDF bug. Once a vulnerability has been found, the toolkit is believed to have delivered the Zeus trojan onto victims' machines.
The quick shutting down of the IP address, in conjunction with the reunion concert, suggests that the attack was designed to harvest the maximum possible amount of traffic.
"They do time their attacks very well. When the hackers find a way to exploit one of these sites and get their code embedded on the page, they will always try and time that for maximum effect," Parker said. "And like a lot of attacks at the moment, it's based on embedding a very small amount of code on the site."
Statbrain, which estimates web traffic to external sites, thinks that www.paulmccartney.com has been getting almost 5,000 hits per day. Alexa shows a slight uptick in traffic over the weekend.
ScanSafe said that McCartney's team appeared to have cleaned up the site sometime after 7:30pm GMT on Monday. Earlier yesterday, Google searches were still listing the site as potentially harmful. By yesterday evening, searches were coming up clean.