Porn Site Becomes Hub for Malvertising Campaigns

黑客的目标在银行对公帐户,用于洗钱,厉害的黑客可以击溃复杂的高强度多因子、一次性口令、手机验证码等安全认证机制,所以银行往往都有交易额度的限制,并且密切监控以便发现异常的交易。
Pornhub, a top-20 ranked U.S. website according to Alexa, was serving up large-scale malvertising attacks exposing millions of visitors to click-fraud.
Behind the attacks is the KovCoreG Group, best known for distributing Kovter click-fraud malware. The campaigns, spotted by researchers at Proofpoint, also impacted a number of other major websites that used the TrafficJunky advertising network that was exploited by the adversaries. The ad network works primarily with adult-themed websites, based on a review of its marketing material.
Related Posts
“This attack chain exposed millions of potential victims in the U.S., Canada, the U.K., and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,” wrote Proofpoint in a blogpost explaining KovCoreG’s recent activity and its most recent campaigns targeting Pornhub.
Pornhub and TrafficJunky did not respond to inquiries for this story.
专业,可信赖 | 易云股份亮相2017全球云计算大会.中国站
Researchers said the attacks have been ongoing for the past year, but these recent campaigns are notable given the popularity of the site impacted. Pornhub receives on average 8.7 million unique visitors a day.
“We do not have data on the precise length of time that Pornhub and TrafficJunky were compromised but, as noted, we know that the KovCoreG Group has been using this type of attack on multiple sites for over a year,” said Kevin Epstein, VP of threat operations at Proofpoint in an interview with Threatpost. “It is likely that Pornhub in particular was being abused for some time, although both Pornhub and TrafficJunky moved very quickly to address the issue as soon as we informed them of the problem.”
The chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network. Once the adversary qualifies a victim by browser and geographic region, a malicious ad “delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds,” researchers said.
Researchers cautioned, there are no links between those behind the Neutrino exploit kit and KovCoreG other than some shared code used by a possible common coder.
“Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce,” researchers said. To improve infection rates criminals have turned to advanced filtering techniques and social engineering over the use of exploits.
As for Chrome users stumbling on the malvertising campaign via Pornhub, a fake browser update massage “Critical Chrome update” is presented to the potential victims. If the target clicks on the “Download Now” link a zipped runme.js file is dropped onto the target’s PC.
“The runme.js file associated with the fake Chrome update and beacons back to the same server hosting the social engineering scheme. This adds an extra layer of protection against replay or study,” researcher said.

Firefox browser users are presented with a similar “Critical Firefox update” webpage with a download dialog box asking “would you like to save this file” that if initiated will drop a firefox-patch.js file. Microsoft Edge and Internet Explorer browsers receive fake Adobe Flash Player update messages such as “your flash player may be out of date” that drops a FlashPlayer.hta file after a click.
“This campaign uses clever social engineering to trick users into installing fake updates that appear as soon as they visited a page containing a malicious ad,” Proofpoint researchers said. “Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals.”
Researchers said the JavaScript targeting browsers downloads “flv” and “mp4” files. “The flv file contains ‘[704][rc4 key]’. The mp4 file is an intermediate payload, encrypted with the rc4 key from the flv file and then hex-encoded. ‘704’ here is likely the internal campaign ID,” said researchers.
The intermediate payload is itself more JavaScript, Proofpoint said. It includes an encoded Powershell script that embeds shellcode that downloads and launches an “avi” file which is actually the Kovter payload.
“While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,” note researchers.
被挂马的现象很严重,大家可以访问CNCERT的网站,每期的报告中都有发现大量政府网站被恶意挂马,如何防止被在线恶意代码感染呢?

猜您喜欢

网络安全公益短片差旅无线网络安全
工作场所物理安全
网络安全法普法宣传 004《网络安全法》的突出亮点
宅男女神郭雪芙现身 穿抹胸裙挤出“虎背熊腰”
TPI CANHOVER
勿让网络安全人才培养走“中国足球”的老路