Adult websites hit by malvertising scam

Sex sites lead to users' systems picking up a nasty little bug.

Some users are getting more than they bargained for
Some users are getting more than they bargained for

Criminals are looking to porn sites to infect user's machines with malware hidden inside adverts.

The latest attack was picked up by IT security firm Malwarebytes. Criminals managed to insert malicious adverts onto an adult website called xHamster, which itself is a legitimate but adult-oriented video site.

According to a blog post, an advert, apparently for a service called Sex Messenger, scanned a user's system to see if the the site was being visited by a human or a bot. The malware also checks to see if a user is running Internet Explorer before downloading its payload.

"Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer," Jerome Segura, senior security researcher at Malwarebytes.

The malware used the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim's system for particular security software, virtualisation (Virtual Machines) and the Fiddler web debugger.

"These efforts ensure that only real users will get to see the exploit kit landing page, therefore excluding honeypots and security researchers alike. It's noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic."

The company that unknowingly served up the malware-laden ads, TrafficHaus, was contacted by Malwarebytes. This then led to TrafficHaus pulling the advertising.

“What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL),” said Segura. “We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM's Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.”

Segura added that this latest example is a reminder that malvertising does not always equate to malware infections via exploit kits.

“In fact, a very large portion of malvertising attacks push fraudulent pages (FBI browserlock ransomware, tech support scams, fake surveys, etc) because they can affect all platforms, and especially mobile users,” he said.

“Those sites are typically harmless but display alarming messages and annoying pop ups preventing users from closing their browser easily.”

Fraser Howard, principal researcher at SophosLabs, told SCMagazineUK.com that the delivery process for malvertising happens in two steps.

“The site the user is browsing (in this example, a porn site) has been compromised. In this case, the advertising content the site displays is what has been hacked, so even though the porn site itself has not been hacked, it is this site that loads third-party content from elsewhere – the ads content,” he said.

“The redirect takes the user's browser to the Angler exploit kit. This exploit kit basically provides the attacker with automation to exploit users' machines. In 2015, we have seen aggressive targeting of mostly Flash and IE vulnerabilities. Other software is also targeted – it changes as new vulnerabilities are discovered.”

Nick Buchholz, threat analyst at Damballa, told SC that compared to other types of malware, ransomware provides very high rewards at a minimal risk to the malware operators.

“Disabling, encrypting, or otherwise locking out systems and files creates a high amount of incentive for victims to pay the ransoms, both on home and enterprise networks. Couple this with the strong encryption used by modern ransomware like Cryptowall and the ease of delivering the malware via exploit kits, and it creates an opportunity for malware operators to make large sums of money in very small amounts of time,” he said.

While many corporate networks block adult sites, there still could be a chance that malware introduced via such sites could make their way onto such infrastructure.

“Many corporate sites have strong controls while the employee is on the corporate network and less control when they are remote,” Gavid Reid, VP of threat intelligence at Lancope, told SC. “In many corporate enterprises malware like this could get on a laptop while the employee is on a hotel network or a coffee shop, then spread when the employee is back at the office.”