Millions of Pornhub users hacked by malware campaign

The three KovCoreG social engineering templates we observed. Pic Proofpoint

Image Hackers tried to make Porn Hub users download fake browser updates. Pic Proofpoint

PornHub - and its Traffic Junky network - were chosen because of its popularity: the 38 most visited site in the world, according to Proofpoint.

Proofpoint said "millions" of users "were potentially exposed to ad fraud malware due to the latest series of large-scale KovCoreG group malvertising campaigns". It is best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely.

In this case, the malicious ads determined which browser the user was running, and then displayed different scam pages to different users.

The malware infected the victim's system by masquerading as fake updates for popular browsers including Chrome, Firefox, and Microsoft's Internet Explorer and Edge - as either a "critical" update for the browser itself, or for software such as Adobe Flash. When a file was downloaded, it installed Kovtar.

"The chain begins with a malicious redirect hosted on avertizingms [.] com, which inserts a call hosted behind KeyCDN, a major content delivery network", Proofpoint writes.

It appears that malvertising impressions are restricted by both geographical and ISP filtering. In instances like this, it is often the advertising network that was more directly targeted, rather than the website in question.

Reports of Facebook, Instagram outage coming from all over
Independent website Down Detector measures social mentions pertaining to a certain topic to track outages across the globe. Instagram users were having trouble posting their #WCW posts on Wednesday due to an apparent outage on the app and website.

As a result it remained undetected for more than a year, and is believed to continue elsewhere, Proofpoint said.

He continued: "We are pleased that following our notification, the site and advertising network abused in this particular attack worked swiftly to remove the infected content".

A hacker collective known as KovCoreG has been targeting the users of the PornHub pornography website, tricking them into downloading and installing malware on their computers.

Like other malvertising actors, the KovCoreG group is now focusing on redirecting users to social engineering sites (i.e. fake download), instead of redirecting users to websites hosting exploit kits.

Despite the fact that this attack was limited to click fraud, Proofpoint experts warned that an attack of this kind can easily be modified to become a ransomware or data theft Trojan attack.

According to Epstein this only confirms that attackers will always follow the money, and to do so they will continue to create and ideal combinations of techniques involving social engineering, targeting, and pre-filtering to affect as many users as possible.

Latest News