Spoof software alert duped visitors into downloading click ad fraud malware

Millions of Pornhub users in the US, Canada, UK, and Australia were exposed to a malvertising attack that was active for more than a year, researchers have claimed.

According to new study from infosec firm Proofpoint, the large-scale attack was conducted by the so-called KovCoreG group, which is best known for distributing Kovter ad fraud malware.

The infection chain in this campaign, says Proofpoint, appeared on Pornhub, a popular free pornography website, and abused the Traffic Junky advertising network.

The hack worked by showing an advert on the site that leveraged slight variations on a browser update scheme and tricking users into installing a software package that contained a clickbot payload.

Proofpoint said the attack chain exposed “millions of potential victims”. And while the group noted that both Pornhub and Traffic Junky acted swiftly to remediate the infection pathway, it said the attack is ongoing elsewhere.

“The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers,” Proofpoint said.

“While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware.

“Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.”