14 DAY TRIAL // Identity thieves hacked the website of the Hilton business empire heiress, Paris Hilton, and used it to distribute a financial information-stealing Trojan. The visitors of the website were prompted with a malware pushing dialog box masquerading as an update.
High profile websites are always a target for identity thieves, because they provide a larger pool of potential victims. The name and reputation of celebrities, such as Paris Hilton's, are also constantly being used in spam and phishing campaigns.
This latest attack was first documented by Web security company ScanSafe on January 9, but the company's researchers say they are not sure when it really began. According to them, the cyber-criminal succeeded in embedding a rogue iFrame into the website, through which a variant of the Zbot (Infostealer) Trojan was distributed.
Zbot is a Trojan designed to steal online banking information that also features a rootkit component. The malicious application injects code into several legit windows components, it intercepts network traffic and keyboard input, logs clipboard information, redirects traffic, and is also able to download and install additional malware.
The fake update prompt displayed to the visitors of ParisHilton.com pushed the download of the Trojan, regardless of its being accepted or canceled. There is no precise information in reference to how the website was compromised, but Mary Landesman, senior security researcher at ScanSafe, speculated in a phone interview for InformationWeek, that a vulnerability in the Joomla content management system might have been the culprit.
A similar incident has been recently reported on the website of the Major League Baseball (MLB), but unlike that drive-by attack, the Paris Hilton incident did not give users the option to ignore the dialog box. The dialog box had to be clicked in order to continue browsing the website, which practically forced them into downloading a malicious PDF file.
The harmful PDF file exploits a vulnerability in Adobe Reader that was patched in November, and, when opened, it downloads and installs additional applications. Ms. Landesman, said that the malware downloaded in this case was not detected by all anti-virus products.
The issue has been corrected on Tuesday, and the website is now clean. However, this is not the first time that Paris has come into contact with hackers. Her T-mobile phone account was compromised in 2008, and private data as well as photos were stolen. In addition, hackers also by-passed the security of her Facebook account, and got access to personal pictures. Update: We have been contacted by Elin Waring, president of Open Source Matters, part of the Joomla! Project, who disputed Ms. Landesman's claim that a vulnerability in the Joomla! CMS was responsible for this incident. "The site [Paris Hilton's] is not a Joomla site nor (from a look at the wayback machine) has it ever been," stressed Mr. Waring, in an e-mail to Softpedia.