Porn site xHamster is being targeted by large-scale malware attacks. The hackers behind the malicious campaign are loading various exploit kits into the victims’ PCs in order to infect it with a set of malware.
According to the data of Alexa.com, this adult site is very popular and is ranked at No. 35. SimilarWeb provides information that the site has an estimated 514 million visitors per month. xHamster is a huge target and can reach millions of users worldwide mostly in the United States, Asia, and European countries. So it’s no surprise that this attack is the second so far in 2017.
This malvertising campaign misuses the ad agency TrafficHouse and Google’s URL shortener services. The malware begins with a booby-trapped ad which is inserted on the site. Once clicked, the malicious code behind the ad forwards potential victims to a Google’s URL. This shortlink redirects the users to the Angler Exploit Kit by attacking a memory corruption bug in Internet Explorer.
Malwarebytes provides a detailed analysis of the attacks. Jerome Segura, a security researcher at the security firm indicates:
The redirection chain used by the criminals was quite effective in that it only strikes one time per IP address and cleverly hides within an innocuous piece of code. Simply going on xHamster’s website could infect a PC if the browser or one of its plugins was not up-to-date.
Bedep is an original payload and a part of ad phony. According to the researcher, an exposed potential victim’s device is overrun with traffic to a range of different advertisement networks to receive false advertisement revenues within just one minute. In addition, the payload quietly loads the Magnitute exploit kit.
This means that victims already compromised by Angler EK could, in turn, be served another exploit kit and additional malware payload. “This is probably a case where multiple criminal ‘customers’ want to have a piece of the infected PC and have to share it. But after all, the same computer can be monetized simultaneously by various actors: some ad fraud, some spam and maybe a banking Trojan.
The TrafficHaus was notified about the attacks by Malwarebytes. Once it was informed, the site turned off ads to decrease the number of potential victims. Google also blacklisted the malicious shortlinks.
To end with, the researcher indicated: “It should be noted that cyber crooks are constantly rotating through new shortened links, making this a cat and mouse game, where the mouse tends to always win.”