A massive malvertising attack is striking adult content portals, including top porn domain xHamster.com which has close to half a billion monthly visitors.
The malicious advertisement was being served by TrafficHaus (it has since been removed), and was for a dating application called “Sex Messenger.” Malwarebytes Labs found that it was displayed often enough to reliably reproduce the infection—and found that this attack, like others in the same campaign, infects a user’s machine with ransomware via an exploit kit.
The Malwarebytes Lab research team has detected various large malvertising attacks over the past few months, including those targeting Yahoo! and eBay UK. These all appear to be connected and pushed out by the same group of criminals.
“The SSL malvertising campaign we documented in August that affected Yahoo.com, MSN.com and several other top sites is still ongoing,” said Malwarebytes researcher Jerome Segura, in a blog shared with Infosecurity ahead of publication. “What allows us to differentiate [this campaign] from other malvertising attacks are some similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL).”
Researchers have observed the Microsoft Azure and RedHat cloud platforms being used by the threat actors behind the attack, and now, a new platform has been added to the mix. The bad guys are using IBM’s Bluemix, looking to make use of the free HTTPS encryption that it provides them in the delivery of malicious code.
Segura noted that the authors of the attack are getting smarter: Several checks are embedded within the ad to verify that the user is genuine; only real users will get to see the exploit kit landing page, therefore excluding honeypots and security researchers alike.