The Web is in the grip of a very large malvertising campaign affecting dozens of top adult sites, with over 250 million monthly visits combined.
Malwarebytes Labs has discovered that fittingly, the bad ads are for sexual enhancement drugs, and the ad network being abused by attackers is AdXpansion.
As soon as the malicious ad displays on someone’s browser, it immediately and automatically attempts to exploit the user, utilizing Adobe Flash Player (versions all the way up to one released two months ago—17.0.0.134)—no clicking required. And once infected with malware (the type varies based on geolocation and other victim traits), victims can have their information stolen, files encrypted and held for ransom, and more.
The malware payload may vary but could result in multiple different malicious binaries dropped via a Neutrino-like EK, the firm said.
“It is interesting to see the trend of exploit kits taking the appearance of advertisers by leveraging Flash for serving the ‘creative’ and exploit in one single package,” said Malwarebytes researcher Jerome Segura, in a blog. “It is a minimalist type of approach which seems to work quite efficiently."
The news comes just days after adult site xHamster was found to once again be the target of a large-scale malvertising campaign—one in which, interestingly, cyber-criminals are loading different exploit kits into the same victim PCs to deploy a range of malware.
This particular campaign abuses ad provider TrafficHaus and Google’s URL shortener service. It starts with a booby-trapped advertisement embedded on the website. Rogue actors inject malicious source code behind the advertisement, which redirects users to a Google shortlink, which is then used to forward the victims to the Angler Exploit Kit, which targets a known (and patched) memory corruption vulnerability in Internet Explorer.