Massive Malvertising Campaign Affects Millions of PornHub Users

Cybersecurity researchers from industry firm Proofpoint have discovered a massive malvertising campaign that has left millions of internet users from the United States, the UK and Canada vulnerable to malware infections.

A large-scale malvertising campaign by the so-called KovCoreG group, infamous for distributing the Kovter ad fraud malware, has been up and running for over a year and continues to propagate in websites around the world. The malware campaign began its spread on PornHub, one of the world’s most popular websites. With a world ranking of 38 on Alexa and a US ranking of 21, the spread of the infection could have been a lot worse following the compromise of the Traffic Junky advertising network.

Proofpoint researchers studied the malware on multiple browsers, namely: Google Chrome, Mozilla Firefox and Microsoft Edge/Internet Explorer. The compromised advertising network redirected Firefox and Chrome users to a malicious website where visitors were met with a fake browser update window.

Researchers stated:

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.

The developers of the malware used “several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows” and more to target vulnerable users while evading analysis.

Proofpoint researchers also revealed a JavaScript had infected Chrome users, redirecting back to a server controlled by attackers. The mechanism prevented security researchers from deciphering the infection chain.

“This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment,” Proofpoint researchers explained. “This is most likely why this component of the chain has not been documented previously.”

“It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification,” researchers added.

Image credit: LIFARS archives.