Security researchers have worked with key stakeholders to shut down a malvertising campaign that exposed millions of PornHub users to Kovter ad fraud malware for over a year.
Proofpoint detailed its analysis of the so-called KovCoreG group, well-known for spreading Kovter malware globally via such tactics.
Interestingly, the group tweaked its operations to include advanced filtering and social engineering rather than exploit kits, believing this to be a more certain way of infecting users.
PornHub - and its Traffic Junky network - were chosen because of its popularity: the 38th most visited site in the world, according to Proofpoint.
Filters are deployed to only serve the malicious ads by specific geography and ISP; with users in the UK, US, Australia and Canada targeted in this campaign. Other fingerprinting included by time zone, screen dimension, language, and history length of current browser windows.
Those served the malicious ads were redirected to a social engineering page displaying an urgent message to install a critical update. This depended on the victim’s browser.
If they clicked through their machine was infected with Kovter, a highly persistent malware which in this case was used to commit ad fraud.
“Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals,” explained Proofpoint VP of operations, Kevin Epstein.
“We encourage consumers to run anti-malware security solutions to ensure systems are clear and organizations to update web gateways to detect related traffic.”
Interestingly, the malicious JavaScript files in question would not execute unless the victim machine had first gone through the filtering phase of the attack, meaning researchers could not run it in a sandbox, limiting visibility.
Although ad fraud was the name of the game this time, the payload could easily have been changed to infect users with ransomware, or information-stealers, Epstein added.
“We are pleased that following our notification, the site and advertising network abused in this particular attack worked swiftly to remove the infected content and keep visitors safe,” he concluded.
“This discovery underscores that threat actors follow the money and continue to perfect combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.”