Fans of online porn may have had their PCs compromised by a malvertising attack targeting a number of adult websites, including xhamster, which attracts close to half a billion monthly visits.
Researchers at Malwarebytes found a malicious advert for an application called ‘Sex Messenger’ was being distributed via the TrafficHaus ad network – a specialist advertising service for adult websites.
The advert was displayed often enough that Malwarebytes could even reproduce the infection in a lab environment, something which isn’t always possible when it comes to this type of threat.
Read More: How to explain malvertising to a five-year old
“What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL),” said Segura. “We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.”
However what is different is that the attackers check to see if the web user is genuine, therefore saving time and effort.
“Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer,” he continued. “We notice the use of the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim’s system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger.
“These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike. It’s noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic.”
Malwarebytes says TrafficHaus worked quickly to resolve the issue and the advertising network has confirmed to TechWeekEurope that the attack was stopped within 24 hours thanks to the help of Xhamster, which was alerted by a user.
TrafficHaus says it is still investigating and believes the attack originated from the Czech Republic and believes the attack vector was unsecure Wi-Fi as the company had visited a conference in the country.
A number of Malvertising attacks have affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software.
Some have even turned to controversial ad-blockers to protect themselves against such attacks.
Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.
“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.”
TrafficHaus says it is more secure than many other systems on the Internet and porn sites are not more dangerous than other services, it is simply that the shock value of this particular malvertising attack is higher given the content hosted on Xhamster.
UPDATED 28/09/2015 with comment from TrafficHaus
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Don't use xhamster but as somewhat of a paranoid person in regards online safety, I was wondering if this attack was purely on Internet Explorer and if this attack actually downloads illegal content to your computer?
Everytime I used sites like xHamster and Fapshows.com because I thought that they were very secure. After this scheme I don't think I will use this site because it can be hacked and take all the details from our accounts.