PornHub Users Attacked with Advertising Malware in a Year-Long Attack

Millions of PornHub users have been infected with advertising malware by cyber crooks ‘in a year-long attack’. Reports say that the attack, using the Kotver malware, could have been used by the hackers to deliver more malicious ransomware or information gathering malware.

Tim Collins of Mail Online reports-“PornHub users may be looking over their shoulders for another reason, after news emerged that cybercriminals have been targeting the website…Millions of visitors to the site may have been exposed to the Kotver malware, which generates revenue by clicking on ads in the background, with users left oblivious…Know as a ‘malvertising’ attack, it could have easily delivered more malicious ransomware or information gathering software instead.”

Security researchers at cyber security firm Proofpoint were the first the detect the malware strike. A report published by Proofpoint on October 6 says, “Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely. “

Proofpoint says that the attack affected millions of people in the US, the UK, Canada and Australia and has been going on for over a year. The report states- ” This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.”

Hackers use a very clever trick to dupe victims into downloading the malware into their system. A fake update screen, believed to be genuine by the user, is used to cause the infection. The fake update screen, stating that it’s a ‘Critical Chrome Update’ or ‘Critical Firefox Update’, or telling the user that his flash player may be out of data and an update is needed, makes the user go for installing the “update”. This leads to their systems being infected by the virus.

The campaign, which appeared on PornHub and used the Traffic Junkey advertising network, was brought to the notice of both PornHub and Traffic Junkey, and they acted fast. Proofpoint reports, “The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.”

The Proofpoint report, after discussing the details of the campaign, concludes by stating, “The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers. Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. “