Monday, 9 October 2017

Infected Pornhub Ads Spread Kovter Malware



On the popular porn site Pornhub, infected advertisements appeared to infect visitors with malware. According to market researchers, the porn site is ranked in the top 30 of most visited websites in the world. Pornhub claims itself to get 75 million unique visitors a day.

The infected ads were spread through Traffic Junky's ad network. The ads passed users to a website that believed that there was an important update for the browser or Adobe Flash Player. When users clicked on the page, a JavaScript file was downloaded that installed the final malware. It was about malware that caused the computer advertising fraud. After being informed, both Traffic Junky and Pornhub have removed the ads, according to security company Proofpoint.


"The combination of large scale malvertising campaigns on print-enabled websites with sophisticated social engineering that convinces users to infect themselves means that potential exposure to malware is quite high and millions of Internet users are reached," says the Proofpoint researcher with the alias Caffeine. "Once again, we see that attackers exploit the human factor as they adapt their tools and approaches to a landscape where traditional exploits are less effective." The investigator thus targets the fact that attacking vulnerabilities in browsers and Adobe Flash Player causes ever fewer infections to cyber criminals.


Indicators of Compromise (IOCs):


IOC
IOC Type
Description
www.advertizingms[.com|204.155.152.173
domain|IP
Suspicious Epom server 2017-10-01
*-6949.kxcdn.com
domains
Subdomain from a rogue KeyCDN customer 2017-10-01
phohww11888[.org|192.129.215.155
domain|IP
KovCoreG soceng host  2017-10-01
cipaewallsandfloors[.net|192.129.162.107
domain|IP
KovCoreG soceng host  2017-10-01
b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9
sha256
            T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js)  2017-10-01

4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3
sha256
FlashPlayer.hta
 2017-10-01
a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35
sha256
Firefox-patch.js
 2017-10-01

0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12
sha256
 Kovter 2017-10-01

f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e
sha256
 Kovter 2017-10-01

No comments:

Post a Comment