Naked Chef Had Malware on the Menu

As our friends at El Reg put it earlier this week:

Hacker recipe: a dash of Flash, a sprinkle of Silverlight, a pinch of Java and YOU’RE DONE”

The Naked Chef website, which serves around 10 million visitors each and every month, was hacked recently according to security experts at Malwarebytes. If you were using the latest versions of Adobe Flash and Microsoft Silverlight (which you should be), you would have been okay. According to Daily Mail, “The bug has now been removed and the star has apologized to anyone affected by the issue.”

JamieOliver.com Screenshot
JamieOliver.com Screenshot

The friendly experts at Malwarebytes were the ones to discover the clever malware that was injected into the actual website via iframes. The attack consisted of redirecting visitors to a third website running WordPress that attempted a drive-by download to force malware onto the unsuspecting user’s home computer.

The Attack

On the Malwarebytes advisory page, they have a very detailed rundown of the attack. Basically, a javascript file was compromised. In that file, the attackers obfuscated code that loaded an iframe on a second infected website not related to Jamie Oliver’s site. Once visitors to JamieOliver.com were redirected to the hacked WordPress site, a version of the Fiesta EK (Exploit Kit) was pushed to the user’s computer using exploits in Flash, Silverlight and Java.

The Payload

If the user’s computer was infected, the Trojan.Dorkbot.ED was installed. This final payload does search redirection and a bunch of other nasty stuff thanks to a little file named Olive.bin. In addition to the forced redirects, the Trojan.Dorkbot.ED also prompted users into installing fake software updates – Java, for example – that seriously messed up their system.

The Solution

After the problem was brought to the attention, those responsible for the website took action quickly – a lot more quickly than Moonpig’s security problems. A spokesman for Jamie Oliver told the Daily Mail, “The team at jamieoliver.com found a low level malware problem and dealt with it quickly. The site is now safe to use.”

The SSL Takeaway

In cases like this, when a web server is compromised, it’s not enough to simply copy over the affected files with fresh ones. Instead, you want to take the time to examine your overall network to find out how the system was infiltrated in the first place. Without taking this step, there’s a good chance the bad guys are going to come back by exploiting the same security hole.

And, as we learned by looking at Moonpig, you don’t want to just ignore the problem. By taking action quickly – like in this case – you can hopefully maintain trust levels with your visitors and customers. While SSL might not have been able to stop this particular website hack, it’s still a good idea to follow the SSL best practices and protect all the pages on your website.

Do you visit the JamieOliver.com website frequently? We’d love to hear your opinion. Leave a comment below and join the conversation!