Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jamie Oliver's Website Serving Malware

Posted by samzenpus on from the worse-than-nuggets dept.

jones_supa writes While routinely checking the latest exploited websites, Malwarebytes came across a strange infection pattern that seemed to start from the official site of British chef Jamie Oliver. Contrary to most web-borne exploits we see lately, this one was not the result of malicious advertising but rather carefully placed malicious JavaScript injection in the site itself. This, in turn, has been used to serve visitors a delicious meal consisting an exploit kit downloading the Dorkbot trojan. Malwarebytes has contacted the administrators immediately upon discovery of this infection.

4 of 125 comments (clear)

  1. Re: one word: Barbecoa by Nikademus · · Score: 4, Informative

    Ah, yes, that gospel of truth, The Daily Mail.

    http://www.thetimes.co.uk/tto/...
    http://www.independent.co.uk/n...
    http://www.telegraph.co.uk/foo...
    http://www.standard.co.uk/news...
    http://www.theguardian.com/lif...
    http://www.news.com.au/enterta...

    --
    I gave up with the idea of an useful sig...
  2. Re:Is javascript dangerous? by Dahamma · · Score: 4, Informative

    Your post is a hot mess.

    So, you want Javascript to be secure, but not allow the user downloading it to be able to see what they are running? Do you even understand how Javascript works in a browser beyond "hitting F12?" For the love of WTF, they are not "seeing the Javascript on your site", you are letting them DOWNLOAD the Javascript to their computer and then run it.

    How, precisely, do you expect an interpreted text file to be hidden from a web browser that downloads and executes an interpreted text file? And more importantly, WHY would a browser want to let you do that, unless to obscure what you are trying to run on a user's computer?!?

    The sum total of Javascript exploits is a browser that allows Javascript exploits. If they were implemented correctly there would be no problem.

  3. Re:Is javascript dangerous? by hcs_$reboot · · Score: 4, Informative

    Oh and I even have a car analogy: the GPS guidance system [JS] in your car [OS] has no much power - it cannot impact directly your speed, wheel direction, breaks, etc... However if someone happens to inject some code into your GPS, and have it give wrong directions, your car is still not directly impacted by that hacking. However, the system may change your itinerary and guide you to a dangerous place you were not supposed to go would the GPS work normally.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  4. Re:Is javascript dangerous? by DarkTempes · · Score: 5, Informative

    Browser Javascript is already limited in what it can do and access.

    And in this case even if you had NoScript installed (which is different from turning Javascript off entirely in your browser) and the main Jamie Oliver website whitelisted you'd still have been protected because what the JS was doing was creating an iframe to another site and loading Flash/Silverlight/Java exploits inside of that.

    And note that even with a compromised site where they were able to inject their own JS that they still had to rely on Flash/Silverlight/Java rather than just Javascript to download and run the trojan.
    So to answer your question: No, Javascript isn't really dangerous. Poorly written browser plugins are.