A New malvertising campaign hit adult website xHamster by abusing ad provider TrafficHaus and exploiting the Google’s URL shortener service.
Malversting campaigns are becoming a serious problem for web users, cyber criminals are exploiting this practice to infect wide audience of users that visit most popular websites. In January security experts at Cyphort firm discovered a malvertising campaign hit numerous websites, including the Huffington Post and LA Weekly, the attackers exploited the AOL ad network to run the attack.
This time cyber criminals served the malicious advertisement through the ad provider TrafficHaus, the attack was discovered by Malwarebytes last Friday and promptly taken down in more or less 24 hours.
“We identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google’s URL shortener service” states a blog post published by Malwarebytes.
The attack chain starts a malicious advertisement using a shortened Google URL that redirect victims to the a domain serving the popular Angler Exploit Kit, in the following image is visible the source code behind a legitimate advertising (in blue) and the malicious code (in red).
The threat actors exploited the URL shortener to generate new links and evade blacklists, they used Google URL due to its reputation. The page hosting the malicious Bedep malware.
“The Trojan may arrive through a website hosting the Angler exploit kit. The exploit kit takes advantage of Flash vulnerabilities and loads the Trojan into memory. As a result, the Trojan may not create files or registry entries on the computer. ” asexplained by the experts at Symantec.
Bedep acts as a backdoor in the infected machine that is used to download further malicious payload, including the Magnitude Exploit Kit.
“With most [exploit kits] the user browses to a site and gets exploited via a drive by download,” said Jerome Segura, senior security researcher at Malwarebytes. “In this case, Bedep is generating traffic only visible via network traffic tools like Fiddler or Wireshark (no browser is open or visible to the end user). Despite that there is no visible GUI, Bedep loads malicious URLs that trigger the [exploit kit] exploitation.”
There is no official news regarding the number of visitors of the xHamster affected by the malversting campaign.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.