Adult Site Xhamster Hit by ‘Huge’ Malvertising Attack

Security experts are warning of a new malvertising attack on adult site xhamster which is serving up a recently discovered zero day exploit in Adobe Flash to infect users.

Malwarebytes said in a blog post that it had witnessed a 1500% increase in infections from the popular porn site over the past couple of days alone.

Unlike most drive-by-downloads of this sort, the attack doesn’t use an exploit kit but merely embeds a landing page and exploit in a rogue ad network, the security firm claimed.

The malicious ad can be found on traffichaus.com, launched from an iframe. It takes the user to a simplified landing page hosted by what Malwarebytes believes is a rogue ad network.

The Flash Player exploit in question, hosted on this ad network, has a detection rate of 0 out of 57 vendors on Virus Total.

In turn it downloads Bedep malware, which is known for loading ad fraud payloads or dropping additional malicious code onto a victim’s machine.

The Adobe Flash zero day was discovered last week by researcher Kafeine. However, at the time it was being distributed via the Angler exploit kit. It also dropped Bedep onto victim machines, with the same ad fraud payload.

“While malvertising on xhamster is nothing new, this particular campaign is extremely active,” wrote Malwarebytes. “Given that this adult site generates a lot of traffic, the number of infections is going to be huge.”

The xhamster site is thought to generate around 500 million visits each month.

A Malwarebytes spokesperson warned that IT security teams need to tweak their strategies to counter the growing volume of advanced malware, which has outpaced traditional signature-based AV.

'With more and more threats being delivered via exploits, typically served through malvertising, people need to consider a security approach which specifically counteracts this,” they told Infosecurity by email. 

“This means using a purpose built anti-exploit technology which kills the infection attempt higher up the attack chain, before the malware is even in play. This negates the threat of undetectable payloads.”

What’s Hot on Infosecurity Magazine?