Booby trapped! Malvertising campaign hit Adult Site xHamster

A New malvertising campaign hit adult website xHamster by abusing ad provider TrafficHaus and exploiting the Google’s URL shortener service.

Malversting campaigns are becoming a serious problem for web users, cyber criminals are exploiting this practice to infect wide audience of users that visit most popular websites. In January security experts at Cyphort firm discovered a malvertising campaign hit numerous websites, including the Huffington Post and LA Weekly, the attackers exploited the AOL ad network to run the attack.

This time cyber criminals served the malicious advertisement through the ad provider TrafficHaus, the attack was discovered by Malwarebytes last Friday and promptly taken down in more or less 24 hours.

“We identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google’s URL shortener service” states a blog post published by Malwarebytes.

The attack chain starts a malicious advertisement using a shortened Google URL that redirect victims to the a domain serving the popular Angler Exploit Kit, in the following image is visible the source code behind a legitimate advertising (in blue) and the malicious code (in red).

The threat actors exploited the URL shortener to generate new links and evade blacklists, they used Google URL due to its reputation. The page hosting the malicious Bedep malware.

“The Trojan may arrive through a website hosting the Angler exploit kit. The exploit kit takes advantage of Flash vulnerabilities and loads the Trojan into memory. As a result, the Trojan may not create files or registry entries on the computer. ” as explained by the experts at Symantec.

Bedep acts as a backdoor in the infected machine that is used to download further malicious payload, including the Magnitude Exploit Kit.

“With most [exploit kits] the user browses to a site and gets exploited via a drive by download,” said Jerome Segura, senior security researcher at Malwarebytes. “In this case, Bedep is generating traffic only visible via network traffic tools like Fiddler or Wireshark (no browser is open or visible to the end user). Despite that there is no visible GUI, Bedep loads malicious URLs that trigger the [exploit kit] exploitation.”

There is no official news regarding the number of visitors of the xHamster affected by the malversting campaign.

Pierluigi Paganini

(Security Affairs – malversting, xHamster)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.