Cyber Incident Victim: Jamie Oliver
Date:
Mar 2015
Location:
United Kingdom
Summary
The Jamie Oliver website experienced two separate malware infections, compromising users with vulnerable browsers by stealing login credentials and sensitive data via the Dorkbot.ED virus, which also blocked security updates and exploited infected machines for additional attacks. Security firms identified both breaches, noting the high-traffic site was a lucrative target, and while administrators promptly cleaned the infections each time, forensic analysis suggested incomplete removal of malicious code or persistent vulnerabilities enabling reinfection. The incidents underscored risks associated with compromised servers and highlighted the attackers' ability to maintain access despite remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Jamie Oliver website experienced two separate malware infections in early 2015, both involving unauthorized malicious code injections. The initial compromise occurred in mid-February, with administrators promptly removing the threat after notification. Security firms Fox-IT and Malwarebytes independently discovered a second infection beginning March 5, where attackers inserted malicious scripts into the site's core pages. The malware specifically targeted visitors using outdated Internet Explorer browsers with unpatched Java and Flash plugins, exploiting these vulnerabilities to install the Dorkbot.ED virus. This malware operated as an information-stealing trojan, harvesting login credentials, passwords, and other sensitive data entered by users. Additionally, Dorkbot.ED disabled security updates on infected machines and transformed them into proxies for launching further cyberattacks. The cooking website's substantial traffic of approximately 10 million monthly visitors significantly amplified the attack's potential impact, with Fox-IT describing the platform as a "goldmine" for data theft.
Jamie Oliver's team confirmed both security incidents and implemented cleanup measures to remove the malicious code after each detection, declaring the site safe following remediation. The organization initiated a forensic audit after the second breach to investigate the root causes. Security analysts observed similarities between the two infections, suggesting either incomplete removal of the initial compromise or persistent vulnerabilities in the website's server software or content management system. Fox-IT detected the March infection through security monitoring systems deployed for Dutch corporate clients, tracing malicious activity back to the cooking site. Malwarebytes noted the recurrence highlighted common challenges in fully eradicating compromises, as attackers often retain backdoor access through residual components. No additional technical specifics regarding the forensic audit findings or long-term consequences for affected users were disclosed in the available reports.