Kovter malware infected millions of adult-themed website users

by Ugnius Kiguolis - -

Visits to Pornhub ended up with ad fraud malware attack for millions

Kovter malware infected millions of adult-themed website users

Visiting pornographic websites was never a safe activity.[1] However, gazillion of users still goes there to look for entertaining content. According to the latest research from Proofpoint, visits to one of the most popular porn website – Pornhub – may have ended up badly for millions.

Proofpoint detected Kovter ad fraud malware spreading on Pornhub.[2] If you follow cyber security news, the name of this cyber infection might sound familiar to you. Indeed, this malware has been spreading in 2015 and earlier this year together with other well-known viruses, such as Locky.[3]

Researchers didn’t take long to figure out who is standing behind this massive cyber assault – the group of hackers known as KovCoreG. However, the recent attack was quite unusual. This time criminals relied on social engineering and advanced filtering strategy instead of exploit kits. Therefore, they tricked users into installing malware payload themselves presenting it as a crucial update.

The attack was held against Windows computer users who browsed on the adult-themed website using Google Chrome, Mozilla Firefox, Internet Explorer or Microsoft Edge web browsers. The attack was launched by compromising legit advertising network Traffic Junky.

Millions of users were redirected to malicious websites that asked to install crucial browser’s or Adobe Flash Player update. Once installed, users browser was used for click-fraud[4] activities, such as clicking on various ads and generating pay-per-click revenue illegally.

Hackers used different campaigns to launch cyber attacks

KovCoreG group showed that it’s not hard to hijack legit ad-service and install a malicious program on the computers easily. However, cyber criminals created three different campaigns and targeted users based on the used browser’s type. 
Chrome and Firefox users were asked to install a “critical” update. Meanwhile, Microsoft browsers’ users were redirected to fake Flash Player’s update website. When users hit a malicious download button, they install one of these files:


Chrome and Firefox users were asked to install a “critical” update. Meanwhile, Microsoft browsers’ users were redirected to fake Flash Player’s update website. When users hit a malicious download button, they install one of these files:

  • zipped runme.js file from fake Chrome update site;
  • firefox-patch.js file from malicious Firefox update website;
  • FlashPlayer.hta file from fake Adobe Flash Player update website redirected by Microsoft Edge or Internet Explorer.

The interesting fact is that hackers launched targeted campaigns based on users’ location. However, criminals paid attention to other characteristics, such as time zone, language, screen dimension, language, etc. All in all, this ad fraud attack was designed to hit users from the United Kingdom, the United States, Canada, and Australia.

Don’t become a victim of malvertising campaign

The attack to the Pornhub reminds that visiting adult-themed websites might end up with a malware attack. Therefore, avoiding high-risk sites is one of the main tips not to fall for some hackers’ trick. However, even legit and safe websites, such as BBC or New York Times.[5] Thus, malware-laden ads might follow you everywhere.

Cyber criminals typically rely on social engineering and trick users into installing missing, critical or important updates for well-known programs. Therefore, it’s highly recommended to enable automatic updates in order not to get tricked by hackers.

Keep in mind that fake download sites might look identical to the original ones. So, it’s easy to get fooled. Therefore, it’s important to be careful with online ads and do not trust each popped up notification to download something useful. Keep in mind that even antivirus program may not protect you from these hackers’ tricks all the time.

Nevertheless, this time crooks spread only a click-fraud malware; the attack might end up even worse. This strategy is also being used for spreading hazardous cyber threats, such as ransomware or data-stealing Trojans.

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References


Files
Software
Compare
Like us on Facebook