The SSL malvertising campaign we documented in August that affected Yahoo.com, MSN.com and several other top sites is still ongoing. This time around it is striking on adult portals, including top domain xHamster.com which has close to half a billion monthly visits.
What allows us to differentiate it from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL).
We have observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM’s Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code.
The malicious advert – served by TrafficHaus – was for a dating application called ‘Sex Messenger’ and was displayed often enough that we were able to reliably reproduce the infection in our lab, something that isn’t always feasible when it comes to malvertising.
Several checks are embedded within the ad to verify that the user is genuine and is running Internet Explorer. We notice the use of the XMLDOM vulnerability (CVE-2013-7331) to fingerprint the victim’s system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger.
These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike. It’s noteworthy that those checks – which used to be done at the exploit kit landing page level – are done at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic.
Fortunately, TrafficHaus was quick to stop this malicious campaign. Malwarebytes Anti-Exploit users were already protected against this threat and never saw its payload (ransomware and more).
Update:
A couple of days after reporting the initial attack, we spotted another malvertising incident that this time distributes browser-based ransomware (browlock), also from xHamster.
This latest example is a reminder that malvertising does not always equate to malware infections via exploit kits. In fact, a very large portion of malvertising attacks push fraudulent pages (FBI browserlock ransomware, tech support scams, fake surveys, etc) because they can affect all platforms, and especially mobile users.
Those sites are typically harmless but display alarming messages and annoying pop ups preventing users from closing their browser easily. The rest is all about social engineering and “Psychological Warfare” which I discussed recently in a webinar with fellow Malwarenaut Adam Kujawa.
We notified TrafficHaus immediately upon discovery.
COMMENTS
Pingback: xHamster adult site infects computers through malicious Sex Messenger ad()
Pingback: onlineviralnews | **** sites hit by advert malware()
Pingback: Viral News Hub | **** sites hit by advert malware()
Pingback: **** sites hit by advert malware | Bonjr.com()
Pingback: **** sites hit by advert malware | To Day Updates()
Pingback: news plaza | **** sites hit by advert malware()
Pingback: **** sites hit by advert malware | News Reporter9()
Pingback: **** sites targetted by malware hidden in adverts()
Pingback: **** sites hit by advert malware | Lingnan()
Pingback: **** sites hit by advert malware | BiznessWeb.net()
Pingback: **** sites hit by advert malware | NEWS()
Pingback: **** sites hit by advert malware | IT Aid Centre()
Pingback: **** sites hit by advert malware | The H2O Standard()
Pingback: **** sites hit by advert malware | Quadrangle.lk()
Pingback: Pornosite xHamster verspreidde weer malware | Nieuwsoverzicht()
Pingback: **** sites hit by advert malware | World News Pulse()
Pingback: XpressVids.Info | **** sites hit by advert malware()
Pingback: **** sites hit by advert malware | Naija Upgrade()
Pingback: **** sites hit by advert malware | Horizon Post()
Pingback: **** sites hit by advert malware | Entire News Link()
Pingback: **** sites hit by malware hidden in adverts | Kulan InfoSecurity – Blog()
Pingback: Newsletter Sécurité informatique semaine 39 - Adacis()
Pingback: **** sites hit by advert malware | usefullink.info()
Pingback: **** sites hit by malware hidden in adverts - Sokolako()
Pingback: Malvertising Campaign Targeting On Top Adult Websites | LINUXRESOURCES()
Pingback: **** sites hit by advert malware | Technology News: breaking news and analysis on computing, the web, blogs, games, gadgets, social media, broadband and more.Technology News: breaking news and analysis on computing, the web, blogs, games, gadgets, social()
Pingback: **** sites hit by advert malware | CSR PRODUCTIONS Entertainment Group, Inc.()
Pingback: **** sites hit by advert malware | News Luck()
Pingback: **** sites hit by advert malware | VanStarVideos()
Pingback: **** sites hit by advert malware | Viral Panda()
Pingback: **** sites hit by advert malware | Viral World news()
Pingback: **** sites hit by advert malware | The World News Online()
Pingback: **** sites hit by advert malware | Jordan Duran()
Pingback: **** sites hit by advert malware | Global News Wire 24()
Pingback: **** sites hit by advert malware | 4DailyNews.com()
Pingback: Más malware para el *****: esta vez afecta a las webs - Mundop2p()
Pingback: Más malware para el *****: esta vez afecta a las webs()
Pingback: **** sites hit by malware hidden in adverts |()
Pingback: **** sites hit by advert malware | Check Us Out Magazine by The Goss BOSS - Check Us OUT! ((CUON NETWORK)) ADD Your Site/Biz to CheckUsOut.com.au, ((CUON)) CHECK US OUT NETWORK. http://checkusout.com.au()
Pingback: **** sites hit by malware hidden in adverts - News()
Pingback: ste williams – Tits and ads: Malware-riddled banners stiff X-rated websites()
Pingback: **** sites hit by advert malware | Supreme World News()
Pingback: **** sites hit by advert malware | Excel World News()
Pingback: **** sites hit by malware hidden in adverts | www.afridigi.com()
Pingback: Tits and ads: Malware-riddled banners stiff X-rated websites | TechDiem.com()
Pingback: **** sites hit by advert malware - CompuGeek - Computer Repairs & Laptop Repairs In Clacton On Sea Essex()
Pingback: xHamster Adult Site Hit by Massive Malvertising Campaign - ScalableDedi()
Pingback: **** sites hit by advert malware | NewsKet()
Pingback: **** sites hit by advert malware | Revealed Tech - Latest Technology News Portal()
Pingback: **** Sites Hit By Malware Hidden In Adverts | Trending News()
Pingback: **** Sites Hit By Malware Hidden In Adverts | NaijaGhana()
Pingback: **** Sites Hit By Malware Hidden In Adverts | Ghana Media World()
Pingback: **** sites hit by advert malware | News ON()
Pingback: xHamster adult site infects computers through malicious Sex Messenger ad | The Linux Lab()
Pingback: **** sites hit by malware hidden in adverts | News Views Nepal()
Pingback: auction websites like ebay bidders - seo tricks()
Pingback: Increase Traffic To Your Website Using Web 2.0 | Blog AGC()
Pingback: **** Sites Are Being Attacked by Virus Hidden in Adverts - Barcity TV()
Pingback: **** Sites Are Being Attacked by Virus Hidden in Adverts()
Pingback: Pornhub, YouPorn Latest Victims of Adult Malvertising Campaign | Malwarebytes Unpacked()
Pingback: Más malware para el *****: esta vez afecta a las webs - Blog de Technow()
Pingback: **** sites hit by advert malware – BreakNews()
Pingback: **** sites hit by malware hidden in adverts – BBC News | TheOpsimath()
Pingback: El ***** no se libra: PornHub y YouPorn sufren un ataque de inserción de banners maliciosos - Mundop2p()
Pingback: **** sites hit by malware hidden in adverts – BBC NewsUK DAILY NEWS | UK DAILY NEWS()
Pingback: Your online **** history with your name leaked online()