Incident Response, Malware, TDR

Jamie Oliver website, RedTube distributes malware via malicious iFrames

An attack affecting visitors of popular porn video streaming website RedTube is very similar to one that used the website of celebrity chef Jamie Oliver to spread malware via a malicious iFrame, researchers at Malwarebytes Lab said Wednesday.

The Jamie Oliver website was reportedly clean as of Wednesday, after the server-wide hack was first seen by the Malwarebytes Labs research team on Friday, Jerome Segura, senior security researcher at Malwarebytes Labs, told in a Wednesday email correspondence.

The attack began with visitors being redirected to a compromised WordPress website via a malicious iFrame injected into the Jamie Oliver website.

A piece of code "that can dynamically load an external webpage by embedding it within the current site,” an iFrame is "one of the easiest ways to compromise a website, but [it] can be hard to spot,” Segura said.

The compromised WordPress website then redirected users to the landing page of the Fiesta Exploit Kit so long as certain conditions were met, such as the victim not using a VPN.

“The bad guys want to stay under the radar from crawlers, honeypots and security researchers in general who often use VPN providers to cycle through a pool of IP addresses,” Segura said. “If the redirect only happens to genuine home users, it is less likely to be spotted by a security company.”

The Fiesta Exploit Kit was observed launching Flash, Silverlight and Java exploits, and anyone whose system is vulnerable could have been infected with malware identified as Trojan.Dorkbot.ED.

“This particular piece of malware hooked itself in the web browser and started hijacking the search results on our test machine in the lab,” Segura said. “The bad guys are monetizing the infections by redirecting users to bogus sites or scam pages.”

Segura said that the threat is a drive-by download attack and that no interaction is required for a user to be infected with the malware. He explained that the Jamie Oliver website was likely compromised by an attacker who stole administrator credentials, but he added that access could have been gained via server side vulnerabilities.

Meanwhile, a very similar attack had been affecting popular porn video streaming website RedTube. Although the issue was reportedly fixed within hours of being discovered on Sunday, in this incident, visitors were being redirected to the Angler Exploit Kit via a malicious iFrame.

Researchers with the Malwarebytes Labs team told in a Wednesday email correspondence that they identified the attack on Sunday, and that viewing “any video on the site [pushed] the malicious iFrame.”

The Angler Exploit Kit was observed exploiting Flash zero-day CVE-2015-0313 and distributing malware that belongs to the Kazy trojan family, which “is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” according to the Malwarebytes Lab post.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.