Pornhub hack: Hackers hijacked ads with malware in year-long attack

PornHub visitors hit with malware attack via poisoned ads

PornHub Malvertising Attack Exposed Millions to Ad Fraud

"Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely", wrote the team at Proofpoint.

Millions of users who visited adult website PornHub could be infected by malware after hackers infiltrated the website's advertising supply chain.

According to cybersecurity company Proofpoint, the hackers' attack may have "exposed millions of potential victims in the US, Canada, the United Kingdom, and Australia", using fake updates, which "could just as easily have been ransomware, an information stealer, or any other malware".

The users got different messages for downloading depending on their browser.

Once the victim downloaded the malicious fake update, the malware would immediately infect their machine and covertly click on certain adverts to generate funds illicitly.

The ads, delivered via the Traffic Junky advertising network, tricked unsuspecting users of Google Chrome, Firefox and Microsoft Edge/Internet Explorer into installing bogus "critical" updates to their browsers.

The files downloaded Kovter, which can be used to run various kinds of malicious code, including ransomware and information-stealers.

Having been notified of the malware activity, this particular avenue of attack has now been shut down by PornHub and Traffic Junky, but not before, as noted, millions of surfers have already been hit. They said that "malvertising impressions are restricted by both geographical and ISP filtering".

Security bods have closed off a malvertising campaign targeting an ad network spread through an ad network that targeted smut site P0rnHub. According to Proofpoint, the attack is now going on elsewhere. Epstein also commended the website and advertising network for their incredibly swift response following the notification from Proofpoint.

"In fact, malvertising incidents have more than doubled in the past three years and are increasingly found on premium websites that are typically whitelisted by enterprises for employee internet use", he said.

Like other malvertising actors, the KovCoreG group is now focusing on redirecting users to social engineering sites (i.e. fake download), instead of redirecting users to websites hosting exploit kits.

Latest News