Attackers continue hitting pornography sites with malware
Researchers of cybersecurity firm Proofpoint have newly discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.
Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called , which is well known for distributing that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.
The KovCoreG hacking group initially took advantage of P0rnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.
The Proofpoint researchers, the pollutions in this attack first appeared on P0rnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into connecting the Kovar malware onto their operations.
Among other malicious things, the Kovter malware is known for its unique persistence mechanism, allowing the malware to load itself after every reboot of the infected host.
Traffic Junky advertisement network redirected users to a hateful website, where Chrome and Firefox users were shown a fake browser update window, while Internet Explorer and Edge users got a fake Flash update.
“The [infection] chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network,” Proofpoint writes.
In this case, the attackers limited their campaign to click fraud to generate illicit revenue, but Proofpoint researchers believed the malware could easily be modified to spread ransomware, information stealing Trojans or any other malware.
Both P0rnHub and Traffic Junky, according to the researchers, “acted swiftly to remediate this threat upon notification.“
Although this particular infection chain was successfully shut down after the site operator and ad network got notified, the malware campaign is still ongoing elsewhere.