On the popular porn site Pornhub, infected advertisements appeared to infect visitors with malware. According to market researchers, the porn site is ranked in the top 30 of most visited websites in the world. Pornhub claims itself to get 75 million unique visitors a day.
The infected ads were spread through Traffic Junky's ad network. The ads passed users to a website that believed that there was an important update for the browser or Adobe Flash Player. When users clicked on the page, a JavaScript file was downloaded that installed the final malware. It was about malware that caused the computer advertising fraud. After being informed, both Traffic Junky and Pornhub have removed the ads, according to security company Proofpoint.
"The combination of large scale malvertising campaigns on print-enabled websites with sophisticated social engineering that convinces users to infect themselves means that potential exposure to malware is quite high and millions of Internet users are reached," says the Proofpoint researcher with the alias Caffeine. "Once again, we see that attackers exploit the human factor as they adapt their tools and approaches to a landscape where traditional exploits are less effective." The investigator thus targets the fact that attacking vulnerabilities in browsers and Adobe Flash Player causes ever fewer infections to cyber criminals.
Indicators of Compromise (IOCs):
IOC
|
IOC Type
|
Description
|
www.advertizingms[.com|204.155.152.173
|
domain|IP
|
Suspicious Epom server 2017-10-01
|
*-6949.kxcdn.com
|
domains
|
Subdomain from a rogue KeyCDN customer 2017-10-01
|
phohww11888[.org|192.129.215.155
|
domain|IP
|
KovCoreG soceng host 2017-10-01
|
cipaewallsandfloors[.net|192.129.162.107
|
domain|IP
|
KovCoreG soceng host 2017-10-01
|
b8ad6ce352f502e6c9d2b47db7d2e72eb3c04747cef552b17bb2e5056d6778b9
|
sha256
|
T016d6n7t96x2hc43r5f3u6gs61d.zip (zipped runme.js) 2017-10-01
|
4ebc6eb334656403853b51ac42fb932a8ee14c96d3db72bca3ab92fe39657db3
|
sha256
|
FlashPlayer.hta
2017-10-01
|
a9efd709d60e5c3f0b2d51202d7621e35ba983e24aedc9fba54fb7b9aae14f35
|
sha256
|
Firefox-patch.js
2017-10-01
|
0e4763d4f9687cb88f198af8cfce4bfb7148b5b7ca6dc02061b0baff253eea12
|
sha256
|
Kovter 2017-10-01
|
f449dbfba228ad4b70c636b8c46e0bff1db9139d0ec92337883f89fbdaff225e
|
sha256
|
Kovter 2017-10-01
|
No comments:
Post a Comment