xHamster Adult Site Hit by Massive Malvertising Campaign

[Exterminator]

Content source

http://news.softpedia.com/news/xhamster-adult-site-hit-by-massive-malvertising-campaign-492834.shtml

Users are being redirected to the Angler Exploit Kit
A malvertising campaign that's been seen raging on the Internet since August is now affecting visitors of xHamster, a top free adult video portal.

The campaign has been coming and going out of the limelight, affecting not only smaller sites but also big industry names like Yahoo, MSN, eBay, eHow, Answers.com, and Wowhead, the biggest World of Warcraft online database.

All malvertisements served through this campaign seem to follow the same pattern, infecting users with the help of an exploit kit, after previously passing their connection through a series of encrypted browser redirections, with most of the malicious code hosted on free cloud hosting accounts.

The campaign hosts code on IBM's Bluemix cloud
According to Malwarebytes, the security company that's been tracking and reporting on the campaign since its beginning, this time around, the malvertising campaign seems to be using IBM's Bluemix cloud hosting system, which offers HTTPS support to all users on their free plan.

This allows attackers to disguise their traffic and work without being easily detected by firewalls and online threat detection systems.

The most recent campaign that is affecting xHamster's users is being spread by an ad for the Sex Messenger dating app, served by online advertising company TrafficHaus.

As Malwarebytes explains, the malicious ad redirects users via an IBM Bluemix account to a landing page serving the Angler Exploit Kit, where the user is infected with malware. In some instances, the browlock (browser) ransomware has also been served.

Attackers are using an IE vulnerability to detect traffic coming from real users
Unlike its previous iterations, the malvertising campaign now includes pre-Angler checks, executed during one of the redirection stages, when the attackers check for the presence of Internet Explorer.

Attackers are particularly checking for the XMLDOM vulnerability in IE (CVE-2013-7331), which allows them to detect if the user's computer is running a virtual machine or malware reverse engineering tools.

This allows them to distinguish from security sandbox and honeypot environments and only redirect users to the final Angler page if the checks deem the traffic as coming from a real person.

Malwarebytes reported the campaign to TrafficHaus, which has taken the necessary steps to have the malicious ad taken down.

 

[Deleted member 178]

Nooooo !!!! One of my favorite site...

Luckily my devices are fortresses

Anyway i never click ads.

 

[Malware Man]

Oh wow!

I don't even use that site but I have adblockers on all of my devices anyways.

 

[Vasudev]

Ads maybe tempting but it comes with dire consequence(s) that is, your PC wont feel well after visiting similar sites.

 

[Raul90]

Take a glance at xHamster once in a while same here I do not click ads.

 

[Malware1]

That's really good news. People who visit such sites deserve it.

 

[Deleted member 178]

That's really good news. People who visit such sites deserve it.

Deserve what?

 

[Malware1]

Deserve what?

Deserve infection.

 

[Kuttz]

Deserve infection.

Visiting an adult site deserves infection ??

 

[Malware1]

Visiting an adult site deserves infection ??

Sure.

 

[Janl92l]

Sure.

No it does not. each there own. i visit not this sites but what is wrong with that? please explain it.

 

[Deleted member 178]

Deserve infection.

That is the most idiot and childish thing i heard today...

So you dont like porn but it is not because you dont like something that others deserve punishments if they like it.

We are here to help people be safe in every corners of Internet , whatever sites they visit.

 

[Exterminator]

This is a news article about an exploit and security.It really does not require moral interjection or some of the suggestive replies that have been edited or deleted.

 

[Kuttz]

Sure.

What is wrong with visiting an adult site ?? Ultimately its a personnel choice that some people prefers to visit them some people don't.

 

[Mr. Tech]

Even at that, this was a waste of time put into an article. All adult sites have this and most have very intrusive ads that can lock-up the computer, so am I missing something or is people just entering the world of technology *again*?

 

[Deleted member 178]

The site doesnt matter in this article, it could be any sites in the world, It is just about the way the exploit use ads and cloud to host its payload that is interesting.

 

[Malware Man]

The site is irrelevant cause it could of easily been Facebook, Yahoo, or any other site that serves you ads that could of been affected. This article is just trying to educate you that these kinds of exploits in ads are out there. Who cares if you visit these adult sites or not (although you have a higher risk of getting a infection from them).

 

[Deleted member 178]

In fact porn sites themselves are not the best infections vectors (because many people know it may be dangerous, and you install nothing specifically , you just watch a streamed video) , ads linked to those sites however are dangerous, especially those that redirect to sex-oriented copycat of Facebook or adult meeting apps.

On top of that , you will be surprised that the most infected sites are wallpaper sites because:

- they look innocent (who will imagine exploits/malwares on them.)
- you have to download the wallpaper (who will imagine that the cute flower wallpaper is a packed malware)
- you have to click the wallpaper to install it. (So execute the malware).

Of course exploit are presents but rarely on the page itself.

 

[Solarquest]

I m not sure for this site, but in the latest malvertising campaigns you just needed to open the page to get the infection process started!
This happened on yahoo.com as on other famous pages (msn.com and online news sites ).

As stated on
Large Malvertising Campaign Takes on Yahoo!

"Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain."

Anti-exploits /excellent AV are really useful these days!