Kovter malvertising attack hits millions of Pornhub users

12 Oct 2017

Pornhub’s traffic is high, making it a prime target for cybercrime. Image: guteksk7

According to the infosec firm that discovered it, the Pornhub cyberattack had been active for more than a year.

A malvertising attack on users of the website Pornhub potentially exposed customers, according to online security outfit Proofpoint.

Millions of Pornhub users were targeted with an attack that sought to trick them into installing malware on their PCs, Proofpoint said. The discovery was disclosed on 6 October.

Pornhub has 26bn visits annually and, although the infection pathway has been closed off, the attack is still continuing on other websites.

Kovter malvertising

Proofpoint said the attack was carried out by a group called KovCoreG, which endeavoured to infect devices with an ad-fraud malware called Kovter. It’s used as a way to get people to click on fake adverts, generating revenue for cybercrime outfits.

Users were shown an ad that claimed to offer a software update for their chosen online browser or the Adobe flash plugin. If the false update was downloaded, Kovter was then on the user’s device, taking it over to click on fake ads on spam sites, earning cash for KovCoreG.

Attackers following the money

ProofPoint said: “While the payload in this case is ad-fraud malware, it could just as easily have been ransomware, an information stealer or any other malware.

“Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting and pre-filtering to infect new victims at scale.”

Attacks on pornography sites are particularly useful for cyber-criminals, as many users are unlikely to report issues on sites such as this, preferring to keep certain elements of their browsing habits private.

Vice-president of operations at Proofpoint, Kevin Epstein, said: “Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads and generated potential revenue for cybercriminals.”

Social engineering and the history of Kovter

This incident is a prime example of the use of social engineering or psychological manipulation of an individual, exploiting their vulnerabilities.

Kovter itself is a sneaky and persistent malware variety, as Malwarebytes explains. It initially started out in 2014 as a police ransomware that cunningly disguises its demands as official-looking warning messages from a local law enforcement agency. Since then, it has evolved into a much more effective and evasive fileless malware.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects