Malvertising Attack Targets Xhamster Porn Site

Fans of online porn may have had their PCs compromised by a malvertising attack targeting a number of adult websites, including xhamster, which attracts close to half a billion monthly visits.

Researchers at Malwarebytes found a malicious advert for an application called ‘Sex Messenger’ was being distributed via the TrafficHaus ad network – a specialist advertising service for adult websites.

The advert was displayed often enough that Malwarebytes could even reproduce the infection in a lab environment, something which isn’t always possible when it comes to this type of threat.

Read More: How to explain malvertising to a five-year old

Xhamster attack

Jerome Segura, senior security researcher at the firm, said the evidence suggested it was part of a similar SSL malvertising campaign that has targeted advert networks on MSN and Yahoo recently.

“What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL),” said Segura. “We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.”

However what is different is that the attackers check to see if the web user is genuine, therefore saving time and effort.

No wasted time

“Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer,” he continued. “We notice the use of the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim’s system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger.

“These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike. It’s noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic.”

Malwarebytes says TrafficHaus worked quickly to resolve the issue and the advertising network has confirmed to TechWeekEurope that the attack was stopped within 24 hours thanks to the help of Xhamster, which was alerted by a user.

TrafficHaus says it is still investigating and believes the attack originated from the Czech Republic and believes the attack vector was unsecure Wi-Fi as the company had visited a conference in the country.

A number of Malvertising attacks have affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software.

Some have even turned to controversial ad-blockers to protect themselves against such attacks.

Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.

“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.”

TrafficHaus says it is more secure than many other systems on the Internet and porn sites are not more dangerous than other services, it is simply that the shock value of this particular malvertising attack is higher given the content hosted on Xhamster.

UPDATED 28/09/2015 with comment from TrafficHaus

What do you know about Internet security? Find out with our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

View Comments

  • Don't use xhamster but as somewhat of a paranoid person in regards online safety, I was wondering if this attack was purely on Internet Explorer and if this attack actually downloads illegal content to your computer?

  • Everytime I used sites like xHamster and Fapshows.com because I thought that they were very secure. After this scheme I don't think I will use this site because it can be hacked and take all the details from our accounts.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago