Pop-Under Malvertising Attack Hits Adult And Streaming Sites With Ransomware

Dodgy ads install CryptoWall ransomware on PCs with out of date Flash plug-ins in latest malvertising attack

Pop-up and pop-under adverts have been plaguing web users for years now, but if you’re visiting certain types of sites, they could be pretty dangerous too.

Security firm Malwarebytes has uncovered another malvertising attack, this time affecting mainly adult and video streaming sites, which infects users with ransomware via a dodgy pop-under window.

Pop-under adverts are essentially the same as Popups, expect, as the name suggests, they hide behind the main browser window until the user manually closes them. This particular attack, carried out through the PopAds advertising network, uses the Magnitude Exploit Kit to install CryptoWall on vulnerable machines running out of date versions of Adobe Flash.


Malware-1024x1019It is important to note that the websites displaying the malicious adverts are not themselves infected, but attackers have instead been able to upload dodgy creatives to the network serving up advertising.

The attack appears to be targeting European users, with 14.3 percent of infections taking place in Spain and 11.4 percent in each of France, Netherlands and Poland. The UK does not appear to have been significantly affected.

Malwarebytes says it has informed PopAds in the hope it can shut down the campaign, but until then, it recommends users keep web plugins updated or even consider uninstalling Flash altogether.

PopAds told TechWeekEurope it had been notified of the campaign and had since blocked several accounts.

A number of Malvertising attacks have previously affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software. Some have even turned to controversial ad-blockers to protect themselves against such attacks.

Many malvertising attacks have focused on adult websites, but experts do not believe pornographic destinations are any more dangerous than other, more trusted brands.

“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” Segura told TechWeekEurope last year. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.”

What do you know about Internet security? Find out with our quiz!