Categories: Security

xHamster Targeted By Malvertising Campaign

Security researchers have spotted malware being distributed through malicious advertisements on xHamster, a popular adult website.

Tens of thousands of visitors to the site are likely to have been affected, according to security firm Malwarebytes, which said the ad was spotted on Friday and disabled by the end of Saturday.

Ad fraud

The campaign served malicious advertisements through ad provider TrafficHaus, which was also made use of in a similar incident in January, Malwarebytes said.

The malicious ad, which targeted Windows systems running Internet Explorer, also made use of Google’s link-shortening service, goo.gl, to help evade services that blacklist links known to be malicious.

“Simply going on xHamster’s website could infect a PC if the browser or one of its plugins was not up to date,” said Malwarebytes’ Jérôme Segura in an advisory. “We notified TrafficHaus, which responded immediately to shut down the malicious ad, helping to limit the number of victims.”

The campaign was unusually clever in its methods for concealing itself, striking only once per user IP address, relying on a known and trusted URL shortening service and hiding itself within an innocuous-looking piece of code, Segura said.

“Although Google did eventually blacklist the URL, it should be noted that cyber crooks are constantly rotating through new shortened links, making this a cat and mouse game, where the mouse tends to always win,” Segura wrote.

Concealment

After building a shortened URL that redirected users to an exploit kit called Angler, the web page containing Angler scanned users’ systems to see if they were running Kaspersky or Norton security software before attempting to exploit a known Internet Explorer vulnerability to implant malware called Bedep a Trojan horse that is capable of downloading other malware from the Internet.

In this case, Bedep was used to download a tool used to generate fraudulent advertising traffic, invisibly sending false ad views from a user’s system to various ad networks, Segura said. Bedep also loads another exploit kit called Magnitude, probably as a way of selling access to the infected system to others, according to Segura.

Malwarebytes recommended users ensure their systems are fully up to date.

“We have observed countless attacks via malvertising taking advantage of recently patched security flaws,” Segura wrote.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

5 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

7 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

9 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago