Paris Hilton’s official web site serving malware

Paris Hilton site infected with malwareThe official web site of Paris Hilton ( has been embedded with a malicious iFrame, automatically exposing visitors to client-side vulnerabilities and banker malware, according to researchers from ScanSafe. Upon closer analysis, it appears that the site has been infected on the 8th of January, Thursday, becoming the very latest legitimate site whose use of outdated web application software led to its exploitation.

Moreover, just like we’ve seen in previous related attacks, Hilton’s site compromise is a part of bigger malware campaign affecting several thousand sites, and is not being exclusively targeted.

Paris Hilton site infected with malwareA javascript embedded at the bottom of the site, is actually an iFrame that used to point to the now down you69tube .com/flvideo/.a/.t/index .php. Once the downloader is executed it attempts to download another binary from the same site, including configuration files from several other sites among which is The abuse and use of legitimate infrastructure as a foundation for the entire malicious campaign, is a common practice applied by cybercriminals these days. For instance, in this campaign not only is the official web site of a popular celebrity used to acquire the traffic, but also, another legitimate site is used as a dropzone for the configuration file of the banker malware.

Let’s discuss the attackers’ logic applied here. December’s massive SQL injection attack affecting thousands of Chinese web sites used as infection vectors serving the IE XML parsing zero day, is an example of the “long tail of SQL injected sites” versus targeted attacks against high profile sites. Basically, their mentality relies on the fact that not only would thousands of sites acquire more traffic than a high profile one, but also, that their campaign may live longer if they diversify instead of centralizing it by using a single high profile site despite the anticipated traffic that would come from it.

For the time being the malicious iFrame has been removed, and the malware campaign is in a cover-up phrase — they wish.

[Source: zdnet]