Published: Thu, October 12, 2017
IT | By Lester Massey

Cyber Honey Trap: Hackers Hit PornHub Users With Malvertising Attack

Cyber Honey Trap: Hackers Hit PornHub Users With Malvertising Attack

Millions of people who visited Pornhub in the United States, the UK, Canada, and Australia in the past year were exposed to an ad fraud malware which hackers had injected to the site by placing fake browser update adverts.

If they clicked through their machine was infected with Kovter, a highly persistent malware which in this case was used to commit ad fraud.

Millions of Pornhub users were targeted with a malvertising attack that sought to trick them into installing malware on their PCs, according to infosec firm Proofpoint.

The so-called malvertising campaign reportedly exposed millions of potential victims in the U.S., Canada, the United Kingdom and Australia but has since been shut down after PornHub and its ad network were notified of the activity. While Chrome and Firefox users were asked to click on such links to update their browsers with the latest fixes, Microsoft Edge users were offered an update to the Adobe Flash Player.

Payloads differed between users, the main factor seeming to be the user's preferred web browser such as Google Chrome, Mozilla Firefox or Apple Safari. "For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds". According to Proofpoint, the attack is now going on elsewhere.

Well, if you are you might have got more than you bargained for recently, as the Kovter malware was spread via poisoned ads served up by the X-rated adult PornHub site. And although most of us practice safe browsing, with plenty of virus protection to guard us, our personal information, and our computers, the reality is that with advanced viruses created by hackers like the group supposedly responsible for this attack, KovCoreG, it's becoming increasingly more hard to know if you've been infected.


"This discovery underscores that threat actors follow the money and continue to ideal combinations of social engineering, targeting, and pre-filtering to infect new victims".

It said the malware was quickly removed by Pornhub and TrafficJunky once the companies were notified.

"Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective".

The fake advertisements encouraging users to infect themselves with the Kovter malware "could just as easily have been ransomware, an information stealer, or any other malware", said Proofpoint.

"This discovery underscores that threat actors follow the money and continue to ideal combinations of social engineering, targeting, and pre-filtering to infect new victims at scale".

Like this: