PornHub users targeted with advertising malware attack

Popular Articles

  • Computer security experts from Proofpoint raised the alarm over the attack
  • The Trojan horse hides inside official looking updates to Chrome and Firefox
  • Visits to PornHub prompt download pages to pop up and tempt users to install
  • Countries most heavily hit include the US, UK, Canada, and Australia

By Tim Collins For Mailonline

Published: 10:58 EDT, 10 October 2017 | Updated: 03:35 EDT, 11 October 2017

PornHub users may be looking over their shoulders for another reason, after news emerged that cybercriminals have been targeting the website.

Millions of visitors to the site may have been exposed to the Kotver malware, which generates revenue by clicking on ads in the background, with users left oblivious.

Know as a 'malvertising' attack, it could have easily delivered more malicious ransomware or information gathering software instead.

Scroll down for video 

Millions of visitors to the adult site PornHub may have been exposed to the Kotver malware, which generates revenue by clicking on ads in the background with users left oblivious (stock image)
Millions of visitors to the adult site PornHub may have been exposed to the Kotver malware, which generates revenue by clicking on ads in the background with users left oblivious (stock image)

Millions of visitors to the adult site PornHub may have been exposed to the Kotver malware, which generates revenue by clicking on ads in the background with users left oblivious (stock image)

THE KOTVER VIRUS

Kovter is a Trojan horse that is used to perform click-fraud operations on the computers it infects.

This is in order to generate revenue for its creators.

The threat is also memory resident, which means the original file it infected can be deleted and it can still reinfect a system, once run.

It uses a device's registry, a database that stores low-level settings, as a persistence mechanism to ensure it is loaded into memory each time the infected computer starts up. 

Computer security experts from Sunnyvale-based Proofpoint first raised the alarm about the hack attack.

Countries most heavily hit over the more than year-long campaign include the US, UK, Canada, and Australia.

Users install what they believe is an update to popular browser related software like Chrome, Firefox and Adobe's Flash player.

Instead, their systems are infected by the virus.

Following notification from Proofpoint, PornHub and the Traffic Junky advertising network worked to remove the infected content and keep visitors safe. 

Kevin Epstein, vice president of threat operations at Proofpoint: 'This campaign uses clever social engineering to trick users into installing fake updates that appear as soon as they visited a page containing a malicious ad. 

'Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads, and generated potential revenue for cybercriminals.

'We encourage consumers to run anti-malware security solutions to ensure systems are clear and organisations to update web gateways to detect related traffic.' 

In a written statement to MailOnline Corey Price, Pornhub vice president, added: 'Pornhub’s commitment to providing their viewers with an optimal online experience has made security a top priority, allowing us to respond quickly to cybercrime and safeguard our customers.

'Over the course of the past year, we’ve taken several measures to further ensure the safety of our users.

'We announced a bug bounty program through HackerOne to reward researchers that find security bugs on our platform with bounties as high as $25,000 (£19.000).  

Users install what they believe is an update to popular browser related software like Chrome, Firefox and Adobe's Flash player. Instead, their systems are infected by the Kovter virus
Users install what they believe is an update to popular browser related software like Chrome, Firefox and Adobe's Flash player. Instead, their systems are infected by the Kovter virus

Users install what they believe is an update to popular browser related software like Chrome, Firefox and Adobe's Flash player. Instead, their systems are infected by the Kovter virus

'This program has been extremely successful thus far, providing some of our savvy fans with a chance to earn some extra cash. 

'More importantly, it ensures the safety of our 80 million daily visitors. 

'Additionally, we went all-in on encryption and switched to HTTPS by default across the entirety of our site to help ensure our users’ privacy and offer heightened security against hackers and malware.'

This is not the first time that visitors to porn sites have been warned about the potential dangers of their online activities.

In September, researchers discovered that watching mobile porn on your smartphone puts you at much higher risk of having your data leaked than watching it on your PC.

Experts from Wandera, a London-based mobile phone consultancy, looked at the websites that are most likely to contain malware, and found that the adult apps were also the most likely to have malicious bugs. 

The Kovter virus is  memory resident, which means the original file it infected (pictured) can be deleted and it can still reinfect a system once it has been run
The Kovter virus is  memory resident, which means the original file it infected (pictured) can be deleted and it can still reinfect a system once it has been run

The Kovter virus is memory resident, which means the original file it infected (pictured) can be deleted and it can still reinfect a system once it has been run

They examined content viewed on 10,000 mobile devices across the US and UK.

They discovered that 34 out of every 10,000 devices are accessing inappropriate content on a daily basis.

A further analysis of the results showed that inappropriate mobile activity was highest on Fridays, followed by Thursdays, while Monday was the least popular day for inappropriate mobile activity.

In terms of time of day, inappropriate usage was found to increase from 8pm, peaking at around 2-3am, and remaining low throughout the working day.

Gambling, cam, adult and ad networks were found to be by far the biggest risks for mobile users.

FIVE STEPS TO MORE SECURE ONLINE OPERATIONS 

Even using this checklist can't guarantee stopping every attack or preventing every breach. But following these steps will make it significantly harder for hackers to succeed. 

1) Enable two-factor authentication (2FA). Most major online services, from Amazon to Apple, today support 2FA.

When it's set up, the system asks for a login and password just like usual – but then sends a unique numeric code to another device, using text message, email or a specialized app.

Without access to that other device, the login is refused. That makes it much harder to hack into someone's account – but users have to enable it themselves.

2) Encrypt your internet traffic. A virtual private network (VPN) service encrypts digital communications, making it hard for hackers to intercept them.

Everyone should subscribe to a VPN service, some of which are free, and use it whenever connecting a device to a public or unknown Wi-Fi network.

3) Tighten up your password security. This is easier than it sounds, and the danger is real: Hackers often steal a login and password from one site and try to use it on others.

To make it simple to generate – and remember – long, strong and unique passwords, subscribe to a reputable password manager that suggests strong passwords and stores them in an encrypted file on your own computer.

4) Monitor your devices' behind-the-scenes activities. Many computer programs and mobile apps keep running even when they are not actively in use.

Most computers, phones and tablets have a built-in activity monitor that lets users see the device's memory use and network traffic in real time.

You can see which apps are sending and receiving internet data, for example. If you see something happening that shouldn't be, the activity monitor will also let you close the offending program completely.

5) Never open hyperlinks or attachments in any emails that are suspicious.

Even when they appear to come from a friend or coworker, use extreme caution – their email address might have been compromised by someone trying to attack you.

When in doubt, call the person or company directly to check first – and do so using an official number, never the phone number listed in the email.

- Arun Vishwanath, Associate Professor of Communication, University at Buffalo, State University of New York 

Larry White
By Larry White 11/10/2017 03:35:00