Once in February and another time in March, Malwarebytes researchers observed the website of celebrity chef Jamie Oliver redirecting visitors to the Fiesta Exploit Kit and infecting their systems with malware – now, the website has been affected for the third time in a very similar attack.
Although the website is no longer compromised, anyone who visited the Jamie Oliver website on May 9 could have been infected, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com in a Tuesday email correspondence.
The attack was enabled because the chef's website was compromised and was serving a hidden iFrame, Segura said. Simply navigating to any portion of the website triggered malicious code embedded directly on the site, subsequently redirecting to the Fiesta Exploit Kit – all without any user interaction.
The Fiesta Exploit Kit was observed exploiting vulnerabilities in Flash and Java in order to infect visitors with two pieces of malware.
“The drops were two trojans, with one being identified as a Poweliks-like type of malware which achieves persistence using the registry and no actual file on disk,” Segura said. “The malware has password stealing capabilities which could harvest banking credentials and others.”
The Jamie Oliver website team acknowledged the issue and is working towards a complete fix, a Tuesday post states. Segura said he believes that the issue occurred for a third time because the previous attacks were likely never fully cleaned up.
“[The Jamie Oliver website team has] discovered backdoors that were responsible for the re-infection but are also looking at professional help externally,” Segura said, adding, “It's entirely possible the same actors have been in control of it all this time.”