Just for Men malware
Unsuspecting visitors to the Just for Men website got more than they wanted as password-stealing malware was hidden on the homepage. iStock

The website for Just For Men, the popular hair and beard dye product, was found serving password-stealing malware to unsuspecting visitors to its homepage, security researchers uncovered.

The shady campaign was found to be using a flash file to redirect victims to download malicious software that logs users' keystrokes. This data could then likely be sent back to the malware's authors, who could potentially harvest victims' credentials such as bank login data.

The malware authors were found to be using the RIG exploit kit, which recently surpassed the Neutrino exploit kit as the most prolific tool-kit used by cybercriminals when conducting attacks.

"Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan. In this particular attack chain we can see that the homepage of justformen.com has been injected with obfuscated code. It belongs to the EITest campaign and this gate is used to perform the redirection to the exploit kit. EITest is easy to recognise (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism," said Malwarebytes researcher Jerome Segura.

Just for Men malware
The Just for Men website gave its customers a few more grey hairs as it served up malicious malware justformen.com

The EITest attack campaign, first reported in October 2014, was found using a Flash file to compromise the websites of various organisations, including the Department of Statistics at Carnegie Mellon University.

Segura said: "We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed." He also said that Combe was quick to act on the site's security, adding that the site has since been updated to run the latest version of Wordpress and is no longer believed to be compromised.

"We see a lot of compromised websites every day, but when we see a big brand name we look more closely," Segura said told Voactiv. "If I go to somebody's blog and they don't take security seriously and their blog is unpatched, it's just some unknown user. But when it's a brand name you expect them to have it in check, and up to date and secure."