A campaign that used online ads to place malware on the systems of millions of visitors to adult website Pornhub has been disabled, researchers said.
The KovCoreG group used ads placed through the TrafficJunky online adult advertising network to redirect users to scam sites, attempted to download and install the Kovter malware if users clicked on them.
The campaign was tightly focused, with ads being displayed only to users in the UK, the US, Australia and Canada, and further limited depending upon which ISP they used, said security firm Proofpoint in an advisory.
As a result it remained undetected for more than a year, and is believed to continue elsewhere, Proofpoint said.
It said the malware was quickly removed by Pornhub and TrafficJunky once the companies were notified.
Yahoo was also found to be displaying the malicious ads on its main website, yahoo.com, but as of last week they appeared to have been removed, independent security site ExecuteMalware said.
Researchers said the campaign demonstrates a “dramatic decline” in the use of exploit kits over the past year, with KovCoreG instead relying on social engineering techniques – in this case, a scam posing as a security alert.
Exploit kits typically search a system for known vulnerabilities and then automatically exploit those holes without requiring user interaction, while social engineering techniques try to convince users to click on a link.
In this case, the malicious ads determined which browser the user was running, and then displayed different scam pages to different users.
Those running Chrome or Firefox were redirected to a page asking them to download a browser update, which in fact linked to a JavaScript file, and those running Internet Explorer or Edge were told to download a Flash update, which instead linked to an HTML application (HTA) executable.
The redirects surfaced automatically through ads displayed on Pornhub and caused the browser to display a full-page warning that appeared legitimate, researchers said.
The malicious files wouldn’t run unless the system passed the same filtering tests as the ad displays, meaning researchers couldn’t run them in a controlled environment, Proofpoint said.
The files downloaded Kovter, which can be used to run various kinds of malicious code, including ransomware and information-stealers. In this case, it was used to generate fraudulent ad clicks.
He said users could combat such problems by running security software.
“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” Epstein stated.
Last month researchers found scam malware displayed on Microsoft’s MSN.com via Taboola, normally used to show paid web content.
That scam also relied on advanced filtering to evade detection, with authentic-looking content leading to a scam security alert.
Do you know all about security in 2017? Try our quiz!
Facebook parent Meta adds AI voice chat, live translation to Ray-Ban Meta smart glasses as…
Senate study finds Amazon did not implement protections recommended by internal studies over risk they…
US senate majority leader calls for federal deployment of drone detection technology after drone sightings…
After launching in September 2023, TikTok Shop rises to broad popularity with US sales surpassing…
Investment in China's semiconductor industry falls by one-third this year as US tightens restrictions, state…
Bitcoin surges more than 5 percent after Trump reaffirms plans for national strategic crypto reserve,…