PornHub got infected by an adware campaign, millions of PornHub users details are with hackers

Millions of users were recently targeted by a hacking group called KovCoreG which took advantage of PornHub, one of the world’s most visited adult websites, they could be infected by malware after hackers infiltrated the website’s advertising supply chain. At the moment, users in the US, Canada, the UK, and Australia have been affected.

Cyber-security firm Proofpoint mentioned in a blog that researchers recently detected a large-scale malvertising attack. The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.

“Millions of web surfers were potentially exposed to ad fraud malware due to the latest series of large-scale KovCoreG group malvertising campaigns,” said Kevin Epstein, the vice president of threat operations at Proofpoint, in a statement.

Experts from Proofpoint said that infections first appeared on PornHub webpages via a legitimate advertising network called Traffic Junky

The payload would be different depending on the user’s web browser of choice – be it Google Chrome, Mozilla Firefox or Apple Safari. In 2016, there were 23 billion total visits to PornHub meaning that, if infiltrated, the potential scope of infections could be huge.

The hackers’ campaign used social engineering tactics to trick users into installing malicious updates that would appear via pop-up ads when they visited some PornHub webpages. Potential targets would believe they were updating their computer’s legitimate software.

It appears that malvertising impressions are restricted by both geographical and ISP filtering. For users that pass these filters, the chain delivers a page containing heavily obfuscated JavaScript identical to that used by Neutrino and NeutrAds. The hackers used a number of filters and and fingerprinting of the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour, to target users and evade analysis.

The security firm said the malicious ads have now been removed and commended both the ad network and the website for working quickly to solve the problem.

Kevin Epstein said,”We are pleased that following our notification, the site and advertising network abused in this particular attack worked swiftly to remove the infected content.

He continued:  “This is far from the first time that adult websites – or the ad networks that live there – have been targeted by cybercriminals to spread adware. It won’t be the last.”

Back in 2015, researchers from Malwarebytes discovered a widespread operation had hit a slew of popular websites including xHamster, RedTube and PornHub. Yet despite the attempted hacks, experts often note that porn websites are known to have above average security.

If malware does slip through the cracks, they are among the quickest to resolve the issues.









Jahnavi M

Vulnerability analyst, Technical Writer, Security Blogger, Co-founder—SecKurity

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: