Users who visited ParisHilton.com during the weekend and on Monday were met with a pop-up box that informed them they needed to "update" their systems, according to web security firm ScanSafe, which first reported the infection on Monday. The dialogue box gave users the option to choose “cancel” or “OK," but any click downloaded the malware.
“Regardless of what you click, the execution will occur -- the download has already happened,” Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com late Monday. “The user is trapped. The user is a complete victim. All they did is visit a website.”
The infection was first detected by ScanSafe starting Friday was cleared late Monday night, the company said on Tuesday.
If infected, end-users risk having their banking credentials exposed, Landesman said. For enterprises, the malware can redirect and intercept all their HTTP and internal network traffic.
“Anything that can intercept web traffic is a pretty big cause for concern -- combined with the standard keylogging and data theft capabilities,” Landesman said. "On a scale of one to 10 for the malware you most don't want on your system, this would definitely be a 10."
Just seven out of 38 anti-virus scanners initially detected the exploit, she said. None of the mainstream anti-virus scanners picked it up, and the “vast majority” of people would not have gotten an alert from their AV software.
Landesman said she is unsure how the attackers were able to compromise site, but a method such as SQL injection could be to blame.
What is standard about this compromise and others of this type is that an IFRAME and HTML element are embedded somewhere in the site to load malicious content from an attacker-owned site, Landesman said.
Cybercriminals use the trusted site, in this case ParisHilton.com, as a “net” to capture victims, she said.
The same malware also was detected on the website sexy-celeb-photos[dot]com, and other mom-and-pop sites, but the malicious code appears to have been rendered from you69tube[dot]com, Landesman said. Businesses should block that site, she said.
To clear this up on the website's end, operators must remove the malicious code, determine how and where the compromise occurred, and secure the vulnerabilities that led to the compromise, Landesman said.
A representative from ParisHilton.com could not be reached for comment.