Popular web sites can not afford to place malicious software on their sites. However, they have to maintain something, so they place ads. That is why hackers have recently started to use quite an interesting attack vector, which involves infecting advertising campaigns. This is how the links to infected updates for browsers were placed on PornHub. KovCoreG group is responsible for this attack, and they spread the Kovter worm.

The issue occurs when the page content is not compliant with the AdWords guidelines. This is exactly where Google has strict rules regarding not only ads that contain sexual content, but also launching any ad campaign on pages with such content. Therefore, sites similar to PornHub use other advertisers who do not have such restrictions. Recently, the advertising campaign was used to distribute script for cryptocurrency mining. Now we are dealing with malware that uses social engineering techniques to encourage users to install a command and control virus that passes to cybercriminals control over an infected computer.

Kovter Chrome


Malware on the PornHub website was spread by the Traffic Junky advertising campaign.

The attack method is fairly primitive because it does not exploit any browser vulnerabilities. Hackers simply use ads that, when clicked, display a window that encourages critical update installation for your web browser. Internet Explorer and Microsoft Edge users are encouraged to install a new version of Adobe Flash plugin. This is quite an interesting social engineering exercise, because a potential user of adult content will be willing to install updates to view the content.

Kovter Firefox

The perceiving user should also note that the update file has a suspicious name and is downloaded from a domain not affiliated with the browser manufacturer. So people who do not click everything that gets caught should not be infected. The scale of the attack is huge, because according to the Alexa ranking, PornHub the 38th popular website in the world. However, efficacy of this attack may be negligible, as relatively primitive methods have been used.

Kovter IE Edge

Source: KasperskyProofpoint

Share This: