Vulnerabilities / Threats
1/12/2009
07:53 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Paris Hilton's Web Site Infected With Malware

A security company said it found a similar threat, a malicious ad, on Major League Baseball's MLB.com last week.

Once again, hackers have targeted technology associated with Paris Hilton.

This time it's her Web site, ParisHilton.com.

Security researchers at ScanSafe report that anyone visiting Hilton's site risks infection with malware.

"Hilton's popular website, ParisHilton.com, has been outfitted with malware prompting site visitors to 'update' their system in order to continue navigating the site," ScanSafe said in an e-mail. "When the bogus pop-up box appears, users have the option to click 'Cancel' or 'OK.' Regardless of which option they choose, destructive malware will be downloaded to the user’s computer."

InformationWeek could not actually load her site because our Web filter blocks the site as malicious.

ScanSafe says the malware has been detected on some 15,000 other Web sites. The company says it found a similar threat, a malicious ad, on Major League Baseball's MLB.com last week.

"Paris Hilton's site is currently compromised," said Mary Landesman, senior security researcher at ScanSafe, in a phone interview. "We first encountered it on [Jan. 9]. We don't know when it happened."

According to Landesman, there's an iFrame that has been embedded in the ParisHilton.com Web site. The iFrame calls out to a site hosting the malware, you69tube.com. It downloads a malicious PDF and attempts to force users into clicking and launching the PDF, which attempts to activate an exploit.

Because the malware tries to download additional files whether one clicks "Cancel" or "OK," Landesman says that only a hard quit -- CTRL+ALT+Delete -- of one's browser provides a way out.

It's not clear which exploits get launched. "These exploit frameworks generally include a cocktail of potential compromises," said Landesman. "The exploit being used appears to have been patched in November, but that has not been confirmed."

She said it wasn't clear how the iFrame got added to Paris Hilton's site, but she said it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports.

According to Landesman, only seven out of 38 antivirus products detect the malware.

Hilton's association with technology seems to invite attacks, even as cybercriminals are increasingly moving toward lower-profile schemes to escape scrutiny from law enforcement. In 2005, Hilton's Sidekick mobile phone was hacked, exposing private photographs and data. The teen responsible received an 11-month sentence in a juvenile facility.

In March 2008, a security researcher was able to bypass Facebook's privacy controls to access pictures of the hotel heiress, among others.

If celebrities and the demi-famous continue be targeted by cybercriminals, they may want to expand their entourages to include IT security pros. Landesman believes celebrities owe that much to their fans. "Their sites, because of their celebrity, are going to enjoy pretty heavy traffic. And they have an obligation to their fan base to keep it safe."

Editor's Note: Correspondents close to the Joomla community have contacted InformationWeek asserting that ParisHilton.com does not use the open-source content management system, as stated in the story. In a follow-up e-mail, Scansafe writes that their researcher Mary Landesman: noted that "it was impossible to tell where the exploit originated from, but that it was a possibility that it came from Joomla. Mary noted that we encountered some victims discussing the problem online who were questioning whether the ParisHilton.com malware was connected to Joomla." We have contacted ParisHilton.com for further information.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-3025
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

Best of the Web
Dark Reading Radio