Categories: Security

Researchers Shut Down Pornhub Scam Adverts That Affected Millions

A campaign that used online ads to place malware on the systems of millions of visitors to adult website Pornhub has been disabled, researchers said.

The KovCoreG group used ads placed through the TrafficJunky online adult advertising network to redirect users to scam sites, attempted to download and install the Kovter malware if users clicked on them.

Advanced filtering

The campaign was tightly focused, with ads being displayed only to users in the UK, the US, Australia and Canada, and further limited depending upon which ISP they used, said security firm Proofpoint in an advisory.

As a result it remained undetected for more than a year, and is believed to continue elsewhere, Proofpoint said.

The campaign’s fake Firefox security alert. Credit: Proofpoint

It said the malware was quickly removed by Pornhub and TrafficJunky once the companies were notified.

Yahoo was also found to be displaying the malicious ads on its main website, yahoo.com, but as of last week they appeared to have been removed, independent security site ExecuteMalware said.

Researchers said the campaign demonstrates a “dramatic decline” in the use of exploit kits over the past year, with KovCoreG instead relying on social engineering techniques – in this case, a scam posing as a security alert.

Loading ...

Social engineering

Exploit kits typically search a system for known vulnerabilities and then automatically exploit those holes without requiring user interaction, while social engineering techniques try to convince users to click on a link.

In this case, the malicious ads determined which browser the user was running, and then displayed different scam pages to different users.

Those running Chrome or Firefox were redirected to a page asking them to download a browser update, which in fact linked to a JavaScript file, and those running Internet Explorer or Edge were told to download a Flash update, which instead linked to an HTML application (HTA) executable.

The redirects surfaced automatically through ads displayed on Pornhub and caused the browser to display a full-page warning that appeared legitimate, researchers said.

The malicious files wouldn’t run unless the system passed the same filtering tests as the ad displays, meaning researchers couldn’t run them in a controlled environment, Proofpoint said.

Ad fraud

The files downloaded Kovter, which can be used to run various kinds of malicious code, including ransomware and information-stealers. In this case, it was used to generate fraudulent ad clicks.

“Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals,” stated Proofpoint vice president of operations Kevin Epstein.

He said users could combat such problems by running security software.

“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” Epstein stated.

Last month researchers found scam malware displayed on Microsoft’s MSN.com via Taboola, normally used to show paid web content.

That scam also relied on advanced filtering to evade detection, with authentic-looking content leading to a scam security alert.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Meta Adds ‘Live AI’ To Ray-Ban Smart Glasses

Facebook parent Meta adds AI voice chat, live translation to Ray-Ban Meta smart glasses as…

2 hours ago

US Senate Criticises Amazon Over Warehouse Safety

Senate study finds Amazon did not implement protections recommended by internal studies over risk they…

2 hours ago

US Lawmaker Calls For Drone Detection Tech After Runway Closure

US senate majority leader calls for federal deployment of drone detection technology after drone sightings…

3 hours ago

TikTok Shop US Sales Surpass Shein, Sephora

After launching in September 2023, TikTok Shop rises to broad popularity with US sales surpassing…

3 hours ago

China Chip Investment Plummets Amidst US Restrictions

Investment in China's semiconductor industry falls by one-third this year as US tightens restrictions, state…

4 hours ago

Bitcoin Hits New High Over $107,000 On Trump Comments

Bitcoin surges more than 5 percent after Trump reaffirms plans for national strategic crypto reserve,…

4 hours ago