Researchers Shut Down Pornhub Scam Adverts That Affected Millions

Malicious adverts were displayed to millions of visitors to the popular adult site for more than a year, with filtering used to evade detection

A campaign that used online ads to place malware on the systems of millions of visitors to adult website Pornhub has been disabled, researchers said.

The KovCoreG group used ads placed through the TrafficJunky online adult advertising network to redirect users to scam sites, attempted to download and install the Kovter malware if users clicked on them.

Advanced filtering

The campaign was tightly focused, with ads being displayed only to users in the UK, the US, Australia and Canada, and further limited depending upon which ISP they used, said security firm Proofpoint in an advisory.

As a result it remained undetected for more than a year, and is believed to continue elsewhere, Proofpoint said.

The fake Firefox security alert. Credit: Proofpoint
The campaign’s fake Firefox security alert. Credit: Proofpoint

It said the malware was quickly removed by Pornhub and TrafficJunky once the companies were notified.

Yahoo was also found to be displaying the malicious ads on its main website,, but as of last week they appeared to have been removed, independent security site ExecuteMalware said.

Researchers said the campaign demonstrates a “dramatic decline” in the use of exploit kits over the past year, with KovCoreG instead relying on social engineering techniques – in this case, a scam posing as a security alert.

Do passwords have a future in cybersecurity?

View Results

Loading ... Loading ...

Social engineering

Exploit kits typically search a system for known vulnerabilities and then automatically exploit those holes without requiring user interaction, while social engineering techniques try to convince users to click on a link.

In this case, the malicious ads determined which browser the user was running, and then displayed different scam pages to different users.

Those running Chrome or Firefox were redirected to a page asking them to download a browser update, which in fact linked to a JavaScript file, and those running Internet Explorer or Edge were told to download a Flash update, which instead linked to an HTML application (HTA) executable.

The redirects surfaced automatically through ads displayed on Pornhub and caused the browser to display a full-page warning that appeared legitimate, researchers said.

The malicious files wouldn’t run unless the system passed the same filtering tests as the ad displays, meaning researchers couldn’t run them in a controlled environment, Proofpoint said.

Ad fraud

The files downloaded Kovter, which can be used to run various kinds of malicious code, including ransomware and information-stealers. In this case, it was used to generate fraudulent ad clicks.

hacking with a laptop in hotel room“Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals,” stated Proofpoint vice president of operations Kevin Epstein.

He said users could combat such problems by running security software.

“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” Epstein stated.

Last month researchers found scam malware displayed on Microsoft’s via Taboola, normally used to show paid web content.

That scam also relied on advanced filtering to evade detection, with authentic-looking content leading to a scam security alert.

Do you know all about security in 2017? Try our quiz!