Categories: Security

Researchers Shut Down Pornhub Scam Adverts That Affected Millions

A campaign that used online ads to place malware on the systems of millions of visitors to adult website Pornhub has been disabled, researchers said.

The KovCoreG group used ads placed through the TrafficJunky online adult advertising network to redirect users to scam sites, attempted to download and install the Kovter malware if users clicked on them.

Advanced filtering

The campaign was tightly focused, with ads being displayed only to users in the UK, the US, Australia and Canada, and further limited depending upon which ISP they used, said security firm Proofpoint in an advisory.

As a result it remained undetected for more than a year, and is believed to continue elsewhere, Proofpoint said.

The campaign’s fake Firefox security alert. Credit: Proofpoint

It said the malware was quickly removed by Pornhub and TrafficJunky once the companies were notified.

Yahoo was also found to be displaying the malicious ads on its main website, yahoo.com, but as of last week they appeared to have been removed, independent security site ExecuteMalware said.

Researchers said the campaign demonstrates a “dramatic decline” in the use of exploit kits over the past year, with KovCoreG instead relying on social engineering techniques – in this case, a scam posing as a security alert.

Loading ...

Social engineering

Exploit kits typically search a system for known vulnerabilities and then automatically exploit those holes without requiring user interaction, while social engineering techniques try to convince users to click on a link.

In this case, the malicious ads determined which browser the user was running, and then displayed different scam pages to different users.

Those running Chrome or Firefox were redirected to a page asking them to download a browser update, which in fact linked to a JavaScript file, and those running Internet Explorer or Edge were told to download a Flash update, which instead linked to an HTML application (HTA) executable.

The redirects surfaced automatically through ads displayed on Pornhub and caused the browser to display a full-page warning that appeared legitimate, researchers said.

The malicious files wouldn’t run unless the system passed the same filtering tests as the ad displays, meaning researchers couldn’t run them in a controlled environment, Proofpoint said.

Ad fraud

The files downloaded Kovter, which can be used to run various kinds of malicious code, including ransomware and information-stealers. In this case, it was used to generate fraudulent ad clicks.

“Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals,” stated Proofpoint vice president of operations Kevin Epstein.

He said users could combat such problems by running security software.

“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” Epstein stated.

Last month researchers found scam malware displayed on Microsoft’s MSN.com via Taboola, normally used to show paid web content.

That scam also relied on advanced filtering to evade detection, with authentic-looking content leading to a scam security alert.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

The Netherlands To Spend Billions To Retain ASML Operations

Dutch government will spend 2.5 billion euros ($2.7 billion) to improve infrastructure in Eindhoven, to…

14 hours ago

Smartphone Shipments To Rebound In 2024, Says Counterpoint

Relief for Apple, Samsung etc after smartphone shipments are predicted to recover in 2024, as…

15 hours ago

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

1 day ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

2 days ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

2 days ago