The website of Jamie Oliver has been found to be harbouring malicious software for a second time.
Two security companies have independently found evidence that hackers put malicious code on the site.
Anyone visiting using a vulnerable browser risks losing login names, passwords and other data, said the security firms.
A spokesman for Jamie Oliver confirmed the site had been hit and said it had now cleaned it up.
“We have taken measures to clear the offending code and the site is now safe to visit,” said the spokesman. “We are now running a forensic audit to find out more information.”
The site first fell victim to hackers in mid-February and that breach was quickly cleaned up after administrators were told about the problem.
However, said Maarten van Dantzig from Fox-IT, cyber-thieves have returned to the site and planted the virus in the main part of the page.
“We are wondering if it has been compromised in other ways,” he said.
Anyone visiting the site using the Internet Explorer browser that did not have up-to-date plug-ins for Java and Flash would be infected, he said.
The malicious code lurking on the site helps to install a virus on compromised machines called Dorkbot.ED and it watches what people do online and grabs copies of any login or password information. It also blocks security updates and can use victims’ machines as proxies for other web attacks.
The Jamie Oliver website is visited by about 10 million people per month. Mr van Dantzig said a high-traffic site like this was a “goldmine” for cyber-thieves.
Jerome Segura from Malwarebytes said the second infection was similar to the first one seen on the site.
“This leads us to believe this is the same infection that was not completely removed or perhaps that a vulnerability with the server software or Content Management System still exists,” he said.
He said it was “quite common” for servers that have been hacked once to retain vestiges of the infection that attackers can use to keep re-infecting a site.
Mr van Dantzig said his company spotted the infection via security monitoring systems it runs for several large Dutch companies. It traced the source of one infection back to the cooking website and found other records which suggest the malware had been present since 5 March.