The SSL malvertising campaign we documented in August that affected Yahoo.com, MSN.com and several other top sites is still ongoing. This time around it is striking on adult portals, including top domain xHamster.com which has close to half a billion monthly visits.
What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL).
We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.
The malicious advert – served by TrafficHaus – was for a dating application called ‘Sex Messenger’ and was displayed often enough that we were able to reliably reproduce the infection in our lab, something that isn’t always feasible when it comes to malvertising.
Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer. We notice the use of the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim’s system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger.
These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike. It’s noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic.
Fortunately, TrafficHaus was quick to stop this malicious campaign. Malwarebytes Anti-Exploit users were already protected against this threat and never saw its payload (ransomware and more).
Update:
A couple of days after reporting the initial attack, we spotted another malvertising incident that this time distributes browser-based ransomware (browlock), also from xHamster.
This latest example is a reminder that malvertising does not always equate to malware infections via exploit kits. In fact, a very large portion of malvertising attacks push fraudulent pages (FBI browserlock ransomware, tech support scams, fake surveys, etc) because they can affect all platforms, and especially mobile users.
Those sites are typically harmless but display alarming messages and annoying pop ups preventing users from closing their browser easily. The rest is all about social engineering and “Psychological Warfare” which I discussed recently in a webinar with fellow Malwarenaut Adam Kujawa.
We notified TrafficHaus immediately upon discovery.
I solely run Firefox, and this affected that to. I realised it was malware embedded somewhere into the site… but its not solely a IE exploit as was reported by the BBC.
Having been affected by Pop-Ups/Unders/Sideways and such over the years, I was so glad that noscript became available and it’s my first line of defense against many of these issues. It also helps that I’m in the Trust Nobody category and have stripped all of the preapproved sites from the Noscript Whitelist – I’ll white list my own thank you and have noscript in Deny All. Haven’t had to many problems with things like this due to blocking the scripts that call them to begin with.
this is such a big threat it is starting to spread like wildfire which is not good for PC users with no anti virus then they visit this page and then they get infected which is not good if they don’t know how to remove the viruses
NoScript and AdBlock. Sorry free sites who run on adware, as long as you are not made safe, there’s no way I’m unblocking you/supporting in any way.