Porn Site Becomes Hub for Malvertising Campaigns

Pornhub, a top-20 ranked U.S. website according to Alexa, was serving up large-scale malvertising attacks exposing millions of visitors to click-fraud.

Behind the attacks is the KovCoreG Group, best known for distributing Kovter click-fraud malware. The campaigns, spotted by researchers at Proofpoint, also impacted a number of other major websites that used the TrafficJunky advertising network that was exploited by the adversaries. The ad network works primarily with adult-themed websites, based on a review of its marketing material.

“This attack chain exposed millions of potential victims in the U.S., Canada, the U.K., and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,” wrote Proofpoint in a blogpost explaining KovCoreG’s recent activity and its most recent campaigns targeting Pornhub.

Pornhub and TrafficJunky did not respond to inquiries for this story.

Researchers said the attacks have been ongoing for the past year, but these recent campaigns are notable given the popularity of the site impacted. Pornhub receives on average 8.7 million unique visitors a day.

“We do not have data on the precise length of time that Pornhub and TrafficJunky were compromised but, as noted, we know that the KovCoreG Group has been using this type of attack on multiple sites for over a year,” said Kevin Epstein, VP of threat operations at Proofpoint in an interview with Threatpost. “It is likely that Pornhub in particular was being abused for some time, although both Pornhub and TrafficJunky moved very quickly to address the issue as soon as we informed them of the problem.”

The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network. Once the adversary qualifies a victim by browser and geographic region, a malicious ad “delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds,” researchers said.

Researchers cautioned, there are no links between those behind the Neutrino exploit kit and KovCoreG other than some shared code used by a possible common coder.

“Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce,” researchers said. To improve infection rates criminals have turned to advanced filtering techniques and social engineering over the use of exploits.

As for Chrome users stumbling on the malvertising campaign via Pornhub, a fake browser update massage “Critical Chrome update” is presented to the potential victims. If the target clicks on the “Download Now” link a zipped runme.js file is dropped onto the target’s PC.

“The runme.js file associated with the fake Chrome update and beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study,” researcher said.