The Web site of Miami"s Dolphin Stadium, which plays host to Super Bowl XLI on Sunday, was hacked between January 26 and 28, security company Websense reported, and until approximately 11 a.m. PST Friday was actively distributing a backdoor Trojan horse and password stealer. The attacker planted a link to a malicious JavaScript file that exploited two patched Windows vulnerabilities, in the header of the front page of the site. By Friday morning, the malicious site hosting the JavaScript file has been taken down but the link remained in the stadium"s site header. Users are recommended to stay away from the URL.
"The 25th was the last date that we saw [the site] clean. Sometime between the 26th and the 28th was when we think the site"s server was hacked. It"s possible [the attackers] still have access to the server," says Dan Hubbard, Websense"s head of research.