Pornhub hacked: Millions exposed to ad fraud malware masquerading as browser updates

Pornhub hacked: Millions exposed to ad fraud malware masquerading as browser updates

Millions exposed to ad fraud malware masquerading as browser updates

Millions of Pornhub users were exposed to a sophisticated ad fraud malware after a hacker group hijacked advertising on Pornhub to display fake browser update links.

The ad fraud malware takes control of systems, raises money by generating clicks on fake advertisements, and sends device data to C&C servers.

Millions of people who visited Pornhub in the United States, the UK, Canada, and Australia in the past year were exposed to an ad fraud malware which hackers had injected to the site by placing fake browser update adverts.

Users of Google Chrome, Firefox and Microsoft Edge browsers were equally exposed to the ad fraud malware which has been in use as a sophisticated click-generating software for years.

According to security firm Proofpoint which uncovered the operation, a hacker group known as KovCoreG hacked into Pornhub advertising and posted fake browser updates to induce visitors to click on them. While Chrome and Firefox users were asked to click on such links to update their browsers with the latest fixes, Microsoft Edge users were offered an update to the Adobe Flash Player.

Once a visitor clicks on such a link, he/she is asked to open a download file which contains zipped files known either as runme.js, firefox-patch.js or FlashPlayer.hta, depending upon the browser being used.

Once these files are downloaded and run by visitors, they download payloads that contain Powershell scripts that embed shellcodes. These shellcodes launch ‘avi’ files which are, in fact, Kovter ad fraud malware when then take control of devices and generate clicks for fraudulent advertisements.

‘This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,’ said researchers at Proofpoint.

‘The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity,’ they added.

According to the researchers, the operation is a classic example of how hackers are using social engineering and the human factor to inject malware into devices. Malware are cleverly disguised as genuine browser updates or other software and this helps hackers fool gullible visitors.

‘While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,’ they added.

Copyright Lyonsdown Limited 2021

Top Articles

Carnival Cruises hit by fourth data breach in 18 months

Carnival Cruises, one of the world’s largest cruise ship operators, has confirmed that it suffered another data breach in mid-March.

NHS Test & Trace Consolidates Cyber Security

NHS Test and Trace has teamed up with cybersecurity company Risk Ledger to proactively manage its supply chain cybersecurity risks.

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Related Articles

[s2Member-Login login_redirect=”” /]