14 DAY TRIAL // ScanSafe, a global provider of SaaS Web security, has announced that the official website of multiple Grammy Award-winning artist Paul McCartney has been compromised by hackers. The cybercrooks injected a malicious hidden IFrame into the pages, which was serving multiple exploits.
The incident took place shortly before Paul McCartney reunited on stage with former Beatles colleague Ringo Starr. The two performed together for the first time in seven years at the David Lynch fundraising concert in New York on April 4th.
According to the company, the attack was detected on Saturday at 12:36pm GMT and the people behind it were most likely trying to profit from the increased number of website visitors, who were looking for information about the upcoming event.
The malware distributors exploited a cross-site weakness (XSS) in order to inject a hidden IFrame, which in turn was loading heavily obfuscated JavaScript code. The code was part of the LuckySploit, a well-known crimeware kit, which incorporates a wide array of exploits for popular software.
LuckySploit is used by cyber-criminals to install banking Trojans, rootkits and other malware onto computers running outdated applications. "Once your computer is infected with a rootkit, none of your personal information is safe," Spencer Parker, director of product management at ScanSafe, explains. "Users should be aware that the majority of malware distribution is now occurring through mass compromise of legitimate and reputable websites," he warns.
Meanwhile, Mary Landesman, one of ScanSafe's senior security researchers, links the incident to a larger series of similar attacks that traces back to the Zeus botnet. "These outbreaks track back to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008," she writes.
In regard to the crimeware kit, the researcher points out that, "Luckysploit is a bit unusual inasmuch as it uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser."
The company notes that the administrators of Paul's official online presence have been quick to react and the malicious code has been cleaned. This demonstrates again, if it was still necessary, that cybercrooks move fast and take any chance they get at increasing their pool of potential victims.