Dolphins’ Web sites hacked in advance of Super Bowl

The Web sites of the Miami Dolphins and Dolphin Stadium, host to Sunday’s Super Bowl football game, have been hacked, and malicious code on those sites has been attempting to infect PCs for at least a week, security experts said Friday.

The breach on the stadium site was discovered by Websense’s automated tools on Jan. 26, but the engineers at the company were not alerted to the problem until this week, when Websense customers complained that they were unable to visit the site.

The www.dolphinsstadium.com and www.miamidolphins.com sites are affected by the attack, as are mirror copies of those sites, such as www.proplayerstadium.com. Security experts strongly advise Web surfers to avoid these sites until the compromise is contained.

“If you go to the [Dolphins’] Super Bowl Web site with a Web browser that’s not running the latest and greatest patches from Microsoft, you could get exploited,” said Dan Hubbard, Websense’s senior director of security and technology research.

Miami Dolphins spokesman George Torres said that the matter is being investigated.

The Indianapolis Colts face the Chicago Bears in the National Football League’s championship game, one of the most anticipated sporting events of the year in the U.S.

The Dolphins’ sites serve up malicious JavaScript code that exploits two known Windows vulnerabilities, Hubbard said. It then attempts to connect with a second Web server that installs a Trojan downloader and a password stealing program on the victim’s computer. The Trojan program lets the attackers install malicious software at a later date, he said.

The Web sites that downloaded the malicious software are based in China and were operating on and off on Friday morning, according to Roger Thompson, chief technology officer with Exploit Prevention Labs

The Microsoft flaws that were exploited by hackers on the sites were both patched by October, but the breach is significant, Thompson said.

“It’s a pretty big deal,” he said via instant message. “A lot of people check out football stuff at work, and I bet lots of companies are not patched, even through October.”

The NFL’s Superbowl.com Web site is not affected by the hack, Thompson said.

Websense published an alert on the hack Friday morning, after first notifying the Miami Dolphins, Hubbard said.