BBC6 and another Lush site hacked


[Update: the BBC Radio 6 issue is now confirmed by WebSense (apologies for misattributing it earlier!), who have more detail here, and note that areas of the BBC 1Xtra radio station Web site are also affected.]

I hear from ESET colleagues in the UK that the BBC's Radio 6 homepage (one of the Beeb's music stations) is currently afflicted by a malicious link, detected by ESET's products as HTML/Iframe.B.Gen. The link is to a site flagged by a number of other resources as carrying malware.

The BBC have been informed, but at the time of writing the page was still compromised, and I'm in the process of finding a more direct contact.

Jonathan Deane also pointed me (I'm at RSA and not connected to the Internet most of the time) to an announcement at indicating that Lush's Australian and New Zealand web pages have been compromised, suggesting that customer data may have been stolen, and advising anyone who's placed an online order with the company to check with their bank to see if they should cancel their credit card. While the UK and antipodean sites aren't directly connected, it appears they've been similarly targeted.

ESET Senior Research Fellow

Author David Harley, ESET

  • Matthew Mors

    Hello David,
    The BBC Radio 6 exploit was discovered by Websense Security Labs. You have the link correct, but list the wrong company in the update.

    • David Harley

      Ouch! Thanks for pointing out that typo, Matthew.

Follow us

Copyright © 2017 ESET, All Rights Reserved.