Smut-watchers suckered by evil advertising

'Millions' of Pr0rnHüb visitors offered fake browser updates

By Richard Chirgwin


Security bods have closed off a malvertising campaign targeting an ad network spread through an ad network that targeted smut site P0rnHub.

The attacks exposed “millions of potential victims in the US, Canada, the UK, and Australia”, said the Proofpoint researchers who discovered the attack.

Proofpoint said the campaign was waged by the KovCoreG group (distributor of the Kovter malware) for more than a year.

Kovter isn't new: it turned up in poisoned ad campaigns in 2015, and again earlier in 2017.

In the most recent campaign, Proofpoint said the campaign hooked users through fake Chrome/Firefox/IE browser updates (and a fake Flash update for good measure), and the attack was active for more than a year until the ad network, Traffic Junky, and the smut site lowered the boom.

“The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network”, Proofpoint writes.

As an example of the obfuscation the campaign used, Chrome users were hit with a JavaScript which beaconed back to the attackers' server: this prevented analysts working through the infection chain if their IP hadn't checked in.

“This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment. This is most likely why this component of the chain has not been documented previously.”

“It should be noted that both P0rnHub and Traffic Junky acted swiftly to remediate this threat upon notification”, Proofpoint noted in its post. ®

Bootnote: Using "Pr0rnHüb" instead of the site's real name helps our news to pass content filters so you can enjoy this news at work.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Microsoft 'kills' passwords, throws up threat manager, APIs Graph Security

Ignite Cloud lineup gets security overhaul with 2FA and new monitoring tools

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

One does dev, the other ops, and they're believed to be former white hats

Taiwanese cops give malware-laden USB sticks as prizes for security quiz

What was second prize? We think we'd rather have that

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram