Malvertising Attack Targets Xhamster Porn Site

Fans of online porn may have had their PCs compromised by a malvertising attack targeting a number of adult websites, including xhamster, which attracts close to half a billion monthly visits.

Researchers at Malwarebytes found a malicious advert for an application called ‘Sex Messenger’ was being distributed via the TrafficHaus ad network – a specialist advertising service for adult websites.

The advert was displayed often enough that Malwarebytes could even reproduce the infection in a lab environment, something which isn’t always possible when it comes to this type of threat.

Read More: How to explain malvertising to a five-year old

Xhamster attack

Jerome Segura, senior security researcher at the firm, said the evidence suggested it was part of a similar SSL malvertising campaign that has targeted advert networks on MSN and Yahoo recently.

“What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL),” said Segura. “We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.”

However what is different is that the attackers check to see if the web user is genuine, therefore saving time and effort.

No wasted time

“Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer,” he continued. “We notice the use of the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim’s system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger.

“These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike. It’s noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic.”

Malwarebytes says TrafficHaus worked quickly to resolve the issue and the advertising network has confirmed to TechWeekEurope that the attack was stopped within 24 hours thanks to the help of Xhamster, which was alerted by a user.

TrafficHaus says it is still investigating and believes the attack originated from the Czech Republic and believes the attack vector was unsecure Wi-Fi as the company had visited a conference in the country.

A number of Malvertising attacks have affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software.

Some have even turned to controversial ad-blockers to protect themselves against such attacks.

Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.

“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.”

TrafficHaus says it is more secure than many other systems on the Internet and porn sites are not more dangerous than other services, it is simply that the shock value of this particular malvertising attack is higher given the content hosted on Xhamster.

UPDATED 28/09/2015 with comment from TrafficHaus

What do you know about Internet security? Find out with our quiz!