Pancake Day - Jamie Oliver site served recipes with a side of Malware
Websense® Security Labs™ researchers are aware of malicious activity recently present on the Jamie Oliver official website. Jamie Oliver is a UK-based celebrity chef with over 10 million visits per month, and is browsed to by users globally. As observed by Malwarebytes, his site (jamieoliver.com) has been compromised by a direct injection and known to have served malicious content. With an Alexa global ranking of 5280, and 519 in the UK, the site makes a prime target for malicious actors. This was especially true yesterday - Pancake Day - when foodies were seeking delicious recipes. This is an interesting compromise considering the use of a direct injection, as malicious actors have recently been favoring malicious advertisements for distribution.
[Update 18 Feb 2015] We have been able to contact Jamie Oliver's management company who confirmed they are aware of the threat and are currently performing their own investigations.
- Jamie Oliver Compromised Page
The compromised page observed was hxxp://www.jamieoliver.com/recipes/. A quick Google search for Jamie Oliver reveals that it is the second returned result. This page hosts a call to a JS file which was either injected or modified by the malicious actors:
The file disguised as a legitimate JS file, whether injected or modified, was observed hosting obfuscated redirection content. Researchers at Malwarebytes have analysed the content and found two layers of obfuscation which lead user to a second compromised site via an iFrame.
- Compromised WordPress site
The second compromised site works as a location from which to pivot the user. It is of interest based on the fact that users not directed from the Jamie Oliver site, as well as those using VPN services, will not be served exploit content. The same goes for second time visitors.
- Exploit Content Delivery
Once a user has met the checks in place, they are directed to exploit content such as the following example: hxxp://tgsquy.sisokuleraj[.]xyz/images/30913695361424116048.js. Target JS files are generated randomly and more than one hostname has been observed. Websense Labs has been following the use of this Top Level Domain (TLD) in malicious activity.
Websense customers were protected at the time of compromise via our Reputation Category Set. Additional protection has now been added within ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:
- Stage 3 (Redirect) – ACE has protection against the malicious redirection that leads to the Exploit Kit
- Stage 4 (Exploit Kit) – ACE has protection against the Fiesta Exploit Kit content via the Reputation Category Set.
Compromises of high-profile non-business sites showcase that users' personal lifestyles can also have an effect on the security of an organization. While browsing leisure sites is a legitimate practice in today's business climate, it can also expose business resources to content which might not have such high security standards - if any at all. Additionally, Websense customers should ensure that publicly-available communication channels are always up to date. This can ensure that any third party attempting to reach you is able to do so in a timely fashion. Whether content injection on Pancake Day is a coincidence or intentional, we have observed malicious actors leveraging current events for malicious purposes. Who's next on the attacker's list? After Valentine's Day and Pancake Day, Chinese New Year is right around the corner. Websense users should remain ever vigilant when any form of contact demands immediate action, or relates to topics not typically thought of as a security risk.
Blog contributors: Jose Barajas, Carl Leonard, Rajiv Motwani, Nick Griffin and Tamas Rudnai