October 11, 2017 by

Massive Malvertising Campaign Affects Millions of PornHub Users

Cybersecurity researchers from industry firm Proofpoint have discovered a massive malvertising campaign that has left millions of internet users from the United States, the UK and Canada vulnerable to malware infections.

A large-scale malvertising campaign by the so-called KovCoreG group, infamous for distributing the Kovter ad fraud malware, has been up and running for over a year and continues to propagate in websites around the world. The malware campaign began its spread on PornHub, one of the world’s most popular websites. With a world ranking of 38 on Alexa and a US ranking of 21, the spread of the infection could have been a lot worse following the compromise of the Traffic Junky advertising network.

Proofpoint researchers studied the malware on multiple browsers, namely: Google Chrome, Mozilla Firefox and Microsoft Edge/Internet Explorer. The compromised advertising network redirected Firefox and Chrome users to a malicious website where visitors were met with a fake browser update window.

Researchers stated:

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network.

The developers of the malware used “several components including filtering and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows” and more to target vulnerable users while evading analysis.

Proofpoint researchers also revealed a JavaScript had infected Chrome users, redirecting back to a server controlled by attackers. The mechanism prevented security researchers from deciphering the infection chain.

“This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment,” Proofpoint researchers explained. “This is most likely why this component of the chain has not been documented previously.”

“It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification,” researchers added.

Image credit: LIFARS archives.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake SWIFT Service Emails Delivers Adwind Remote Access Trojan

An email phishing campaign has attempted to infect unsuspecting victims with the Adwind...

Read more arrow_forward

Tesla’s Cloud Account Hacked to Mine Cryptocurrency

Tesla’s cloud environment has been exploited by hackers who used the computational power to mine...

Read more arrow_forward

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward