The ad fraud malware takes control of systems, raises money by generating clicks on fake advertisements, and sends device data to C&C servers.
Millions of people who visited Pornhub in the United States, the UK, Canada, and Australia in the past year were exposed to an ad fraud malware which hackers had injected to the site by placing fake browser update adverts.
Users of Google Chrome, Firefox and Microsoft Edge browsers were equally exposed to the ad fraud malware which has been in use as a sophisticated click-generating software for years.
According to security firm Proofpoint which uncovered the operation, a hacker group known as KovCoreG hacked into Pornhub advertising and posted fake browser updates to induce visitors to click on them. While Chrome and Firefox users were asked to click on such links to update their browsers with the latest fixes, Microsoft Edge users were offered an update to the Adobe Flash Player.
Once a visitor clicks on such a link, he/she is asked to open a download file which contains zipped files known either as runme.js, firefox-patch.js or FlashPlayer.hta, depending upon the browser being used.
Once these files are downloaded and run by visitors, they download payloads that contain Powershell scripts that embed shellcodes. These shellcodes launch 'avi' files which are, in fact, Kovter ad fraud malware when then take control of devices and generate clicks for fraudulent advertisements.
'This attack chain exposed millions of potential victims in the US, Canada, the UK, and Australia, leveraging slight variations on a fake browser update scheme that worked on all three major Windows web browsers,' said researchers at Proofpoint.
'The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity,' they added.
According to the researchers, the operation is a classic example of how hackers are using social engineering and the human factor to inject malware into devices. Malware are cleverly disguised as genuine browser updates or other software and this helps hackers fool gullible visitors.
'While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale,' they added.
EmoticonEmoticon