14 DAY TRIAL // These days, Jamie Oliver’s website offers more than recipes for appealing dishes, as cybercriminals dropped a malicious bun in the oven that comes with an assortment of Flash, Silverlight and Java exploits.
Unlike the modus operandi specific to exploit kit operators, the celebrity chef’s website did not fall victim to a malvertising campaign but was breached and injected with malicious JavaScript that redirects to another compromised site (antkai[.]com) and then to a landing page hosting an exploit kit.
Exploit kit leverages Flash vulnerability
There is no clear confirmation of the specific browser-based attack tool used by the cybercriminals, but Jerome Segura of Malwarebytes said that the URL patterns pointed to Fiesta EK.
On the other hand, he found contradictory details, such as a piece of malicious JavaScript that had been left unhidden.
The researcher determined that one of the vulnerabilities exploited by the malware was CVE-2015-0311 for Flash Player, which was patched by Adobe towards the end of January, after it had been leveraged for several days by cybercriminals using Angler exploit kit.
Despite a fix being available and the cybercriminals already exploiting the flaw, not all users rush to update Flash and this may put a large number of them at risk, especially since Jamie Oliver’s website sees monthly traffic from about 10 million visitors.
Poor antivirus detection
Segura says that systems running unpatched software would be compromised with a malware dropper that derived benefit from poor antivirus detection on VirusTotal at the time of the analysis, as only two products caught the threat.
At the moment, the detection has increased, although not by much since a set of eight out of 57 antivirus solutions are able to catch the dropper.
According to the researcher, users of a system infected with the malware added by the dropper are tricked “into installing fake software updates which end up wreaking havoc on the system.”
Segura is uncertain if the malicious script became available as a result of a legitimate one being compromised or if it was planted on the website in its entirety.
Two common methods to gain access to a website are to steal the log-in credentials and to exploit a vulnerable plug-in for the content management system (CMS), which in the case of jamieoliver[.]com is the open-source solution Concrete5.
Visitors who do not have the latest software updates for Flash, Silverlight and Jave installed on their systems are advised to avoid Jamie Oliver’s recipe repository until the website is cleaned of the malicious code.