Major Adult Website Gets Hacked, Malicious Iframe Leads to Angler EK

Status
Not open for further replies.

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Visitors landing on the main page of a popular adult website on Sunday, whose Flash browser plug-in had not been updated to the lasted version, ran the risk of having their computers compromised by malware delivered through Angler exploit kit (EK).

Just like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.
Exploit flung at visitors with outdated Flash Player versions
Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.

The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where Angler browser-based attack tool is hosted.

According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.

Until the fix became available in Flash 16.0.0.305, the security bug had been leveraged in the wild through Hanjuan exploit kit.
RedTube confirms the attack
The researchers say that the end goal of the cybercriminals is installation of a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.

“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes says on Wednesday.

It is not clear how the RedTube compromise occurred but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.

On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.
@ratkutti We were attacked Sun Feb 15 but quickly corrected the issue within hours. Can provide info for followup article @Malwarebytes
— RedTube Emma (@RedTube) February 18, 2015
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Adult websites will always be a breeding place of any malicious content, beginning from advertisement up to the hidden scripts already. ;)
 
  • Like
Reactions: FreddyFreeloader
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top