File under adding insult to injury: Adult site xHamster is once again the target of a large-scale malvertising campaign—one in which, interestingly, cybercriminals are loading different exploit kits into the same victim PCs to deploy a range of malware.
The porn site is popular—very popular, actually, with an Alexa rank at No. 35 and an estimated 514 million visitors per month according to SimilarWeb. And that of course makes it a big target. This is the second malvertising attack already so far this year for the site.
This particular campaign abuses ad provider TrafficHaus and Google’s URL shortener service. It starts with a booby-trapped advertisement, embedded on the website. Rogue actors inject malicious source code behind the advertisement, which redirects users to a Google shortlink, which is then used to forward the victims to the Angler Exploit Kit, which targets a known (and patched) memory corruption vulnerability in Internet Explorer.
“The redirection chain used by the criminals was quite effective in that it only strikes one time per IP address and cleverly hides itself within an innocuous piece of code,” said Jerome Segura, researcher at Malwarebytes, in an analysis. “Simply going on xHamster’s website could infect a PC if the browser or one of its plugins was not up-to-date.”
The initial malware payload is Bedep and its ad fraud component. Segura said that within a minute, a vulnerable user’s machine is flooded with traffic to various ad networks to generate fraudulent ad revenues.
But wait, there’s more: Bedep then also silently loads the Magnitude exploit kit.
“This means that victims already compromised by Angler EK could in turn be served another exploit kit and additional malware payload,” Segura said. “This is probably a case where multiple criminal ‘customers’ want to have a piece of the infected PC and have to share it. But after all, the same computer can be monetized simultaneously by various actors: some ad fraud, some spam and maybe a banking Trojan.
Malwarebytes notified TrafficHaus, which it said responded immediately to shut down the malicious ads, helping to limit the number of victims. And, Google blacklisted the URL shortlinks. Still though, xHamster fans should be wary and stay up-to-date.
“It should be noted that cyber crooks are constantly rotating through new shortened links, making this a cat and mouse game, where the mouse tends to always win,” Segura said.