- Jan 24, 2011
- 9,378
Malwarebytes identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google’s URL shortener service.
This incident reminds us of a similar one that happened at the end of January also involving the same ad network.
Simply going on xHamster’s website could infect a PC if the browser or one of its plugins was not up to date. We notified TrafficHaus which responded immediately to shutdown the malicious ad, helping to limit the number of victims.
The redirection chain used by the criminals was quite effective in that it only strikes one time per IP address and cleverly hides itself within an innocuous piece of code.
Booby trapped advert
As we often see it, the malvertising was embedded along side an advert displayed on xHamster’s website, in this case the one displayed on the bottom right corner.
The screenshot below shows the source code behind the advert with the legitimate ad code (in blue) and the malicious code (in red) that was inserted by rogue actors.
The malicious script builds a goo.gl URL (which is Google’s URL shortener) that is then used to forward the victims to the Angler Exploit Kit.
Although Google did eventually blacklist the URL, it should be noted that cyber crooks are constantly rotating through new shortened links, making this a cat and mouse game, where the mouse tends to always win.
Read more: https://blog.malwarebytes.org/malvertising-2/2015/04/malvertising-strikes-adult-site-xhamster-again/
This incident reminds us of a similar one that happened at the end of January also involving the same ad network.
Simply going on xHamster’s website could infect a PC if the browser or one of its plugins was not up to date. We notified TrafficHaus which responded immediately to shutdown the malicious ad, helping to limit the number of victims.
The redirection chain used by the criminals was quite effective in that it only strikes one time per IP address and cleverly hides itself within an innocuous piece of code.
Booby trapped advert
As we often see it, the malvertising was embedded along side an advert displayed on xHamster’s website, in this case the one displayed on the bottom right corner.
The screenshot below shows the source code behind the advert with the legitimate ad code (in blue) and the malicious code (in red) that was inserted by rogue actors.
The malicious script builds a goo.gl URL (which is Google’s URL shortener) that is then used to forward the victims to the Angler Exploit Kit.
Although Google did eventually blacklist the URL, it should be noted that cyber crooks are constantly rotating through new shortened links, making this a cat and mouse game, where the mouse tends to always win.
Read more: https://blog.malwarebytes.org/malvertising-2/2015/04/malvertising-strikes-adult-site-xhamster-again/