RedTube, a pornographic site that boasts over 300 million visits a month, has become the second major adult site to be hit with a massive malware-serving campaign.
Unlike the recent xHamster porn-malware situation, the attack on site visitors doesn’t come from a malicious advertisement being loaded on the webpage. Instead, the source code of RedTube’s main page was modified to include a hidden piece of redirection code. That in turn leads to the Angler Exploit Kit.
“The code is executed inside of an iFrame, which is basically like a browser window inside of your browser window that can point to any website the attacker wants,” explained researchers at Malwarebytes, in an analysis. “In this case the iFrame is set to be completely invisible to the user.”
The existence of the iFrame in the main-page source code points to the fact that RedTube servers were likely hacked by malicious actors who had access to the main page source code already. They simply added the malicious code and then set it loose on RedTube users.
The Angler Exploit Kit meanwhile is perhaps best-known for being used in zero-day attacks against applications like Flash and Silverlight. In this instance, it uses the more recently discovered Flash exploit CVE-2015-0313, and once it exploits the user’s browser, will attempt to drop malware, which belongs to the Kazy Trojan family.
“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” the researchers noted.
RedTube has confirmed the incident and said they addressed the hack. Nonetheless, looking into anti-exploit, malicious webpage blocking and advertisement blocking solutions is in the best interest of all users.
“Exploit infections, either through drive-by methods, malvertisements or malicious iFrame injections have been a problem for users and organizations alike for years and rather than it slowing down, new discoveries in attach technology has only increased the amount of attacks happening every month,” said the researchers.