xHamster adult site infects computers through malicious Sex Messenger ad

Security firm Malwarebytes is reporting that xHamster, one of the world's most visited porn websites, has been hit by a sophisticated malware attack.

Xhamster

According to a blog post by researcher Jerome Segura, the malicious Angler exploit kit lies behind adverts for a dating application called "Sex Messenger", and aside from xHamster has also affected other popular portal websites linking to adult content.

Before dropping its malware payload, the attack checks whether you are running Internet Explorer, and exploits the CVE-2013-7331 Microsoft.XMLDOM ActiveX control vulnerability in Microsoft Windows 8.1 and earlier.

Specifically, the Windows vulnerability is exploited in an attempt to determine whether the attack is being analysed on a computer running tools typically used by malware-hunting security researchers. Not that that was enough to stop analysis by Malwarebytes, of course.

Like other recent attacks it uses HTTPS encryption, making it trickier to spot malicious web traffic at the network layer.

Malwarebytes says that it informed TrafficHaus, the ad platform serving up the malicious ad, about the problem and it has since been removed. However, it's a safe bet that other malvertising attacks are just around the corner.

Indeed, the researchers say that within a couple of days of the poisoned "Sex Messenger" ad was cleaned up, they spotted a separate malvertising attack on xHamster which served up the Browlock browser-based ransomware, demanding the user pays a fine for allegedly viewing "banned pornography".

Browlock ransomware

Unfortunately this isn't the first time that xHamster, which is said to receive over 500 million visitors a month, has fallen foul of malicious ads. In January, malware-laced adverts on the site successfully infected visiting PCs with the Bedep Trojan horse.

Take care out there folks - keep your computer protected with up-to-date security software, ensure that your operating system and applications are fully patched, and consider running an ad blocker.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

11 Responses

  1. gman

    September 25, 2015 at 1:58 pm #

    If you're not already, use adblock!

    • coyote in reply to gman.

      September 26, 2015 at 1:56 am #

      Or NoScript (which covers a lot more although many might consider the inconvenience too extreme). This goes for all content, of course.

  2. Techno

    September 25, 2015 at 5:30 pm #

    Best to browse adult sites in a sandbox if you ask me.

  3. adrian

    September 25, 2015 at 5:54 pm #

    Someone emailed me unsolicited porn for years. And I don't even click on pictures of people kissing. I would request to be taken off their mailing list…nothing. I would cuss them out. Nothing. I actually mailed a court summons to one of them. The sheriff could not serve it…he said the physical address did not exist. At's what happens when you are a supersaint :)

    • coyote in reply to adrian.

      September 26, 2015 at 2:02 am #

      Never request being removed from a list that you didn't subscribe to. Never believe their rubbish disclaimer, either (actually, some people feel that email disclaimers are worth a lot more than they are – e.g. when declaring it is for private eyes only; too bad email isn't private and if they want it to be that way they should encrypt it [with the risk that the recipient would be able to decrypt and therefore share it] or better yet not send it). Doing the former won't do any good and the latter is only an attempt to make one think it is legit (which it obviously isn't). There is an exception: depending on their provider you can report the mail to their abuse department as UBE (unsolicited bulk email). But finding that email requires a bit more work (but nothing much to speak of). Usually is abuse@ something (but not of the domain of the sender!).

  4. coyote

    September 26, 2015 at 1:55 am #

    'Unfortunately this isn't these aren't the first times that xHamster, which is said to receive over 500 million visitors a month, has fallen foul of malicious ads.'

    I think there is an unnatural flow of words going on there. Or am I really that wasted ?

    • Graham Cluley in reply to coyote.

      September 27, 2015 at 10:25 am #

      :) I think I must have been the wasted one. Now fixed.

  5. TrafficHaus

    September 27, 2015 at 9:50 am #

    At this point, all attack attempts have been blocked, and they were blocked within 24 hours. We have established that there was a hack attempt on TrafficHaus, and not Xhamster. We believe that Xhamster is being unfairly targeted here as well as sex messenger app. The hacker made attempts to make it appear as if it was coming from messenger app and xhamster, but placing their code next to their ad unit in our system. Neither companies had anything to do with the attempt. Xhamster was pivotal in helping us catch the intrusion as well as information from their users. So far there have only been 6 user complaints that we know about. The attack was initially detected by a user complaint via Xhamster which were quickly acted upon to prevent further spread of the attempted malware attack. Our system flagged several attack attempts days before and do to the large audience of our clients and our ads we are of course a large target for these malicious attacks. So far All previous attempts were prevented, however this final attempt was not detected until after the malware had made it into the system, but was immediately blocked when made aware in less than 24 hours.

    We have reviewed the logs, IPs, and accounts related to the malware injections. We are still investigating, and will update if we find out anything more. For now, it looks like the initial intrusion was via a user account hack in the czech republic and a Tor Exit Router in the US. We have the injection logged from a CZ IP Address (89.187.142.208) so we know it is related to the same incident as it corresponds with our change logs. When the hacker gained access to a password to one of our admin accounts, they injected that cookiecheck.js file into the advertiser’s creative on our side, making it look like it’s from the advertiser in attempts to make it more difficult to follow.
    We believe the attack vector was unsecure wifi, as we had recently attended a conference in the Czech Republic.
    We purged this from our system immediately upon finding it and it has been down since yesterday morning.
    As Malwarebytes themselves and many tech blogs have said, we are more secure and more proactive at fighting malware than other systems on the internet. Xhamster and other pornsites we work with are not more dangerous than yahoo who was recently attacked as well or other sites. As they said we do allocate a lot of resources to fighting fraud and malware and more than most. We believe the shock value is just higher given the nature of the content:
    “Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.
    …..

  6. TrafficHaus

    September 27, 2015 at 9:51 am #

    “There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.””
    Read more at http://www.techweekeurope.co.uk

    Currently TrafficHaus has a 2 factor authentication system which requires an SMS in order to log into an account. The IP location may have been the fault in allowing the user to bipass so we are adding on a secondary flag layer even if the IP is authorized. In addition we also have RiskIQ and GeoEdge simultaneously scanning all ads and creatives, and our own proprietary scans and business methodologies for catching and removing exploits. In addition to that we have revamped our SMS authentication system to add additional layers to users when logging in, and another layer of secondary notification restrictions when ads are approved and code is pushed live to ad units. We have scans for user activity to isolate any intrusions. Furthermore we work directly with malwarebytes and other adtech pioneers in the space that are helping to prevent the spread of these malicious software and thank them for their help.

    For now, we purged this from our system immediately upon finding it and it has been down since late in the evening of the 24th of September, early morning the 25th. Xhamster and our other partners number 1 concern is their users, their user experience, and delivering the best possible experience to them. We believe that is tarnished when news articles are released post these sort of one off situations after attacks have been blocked and solutions have been implemented. We will continue to work with them and other leaders in the adult space to prevent and eradicate these types of attacks and preserve a safe browsing experience for all.

  7. Jimbo

    September 27, 2015 at 8:16 pm #

    Graham,

    I do not use xhamster but out of pure curiosity and admittedly paranoia, was this attack only possible if the site was accessed on IE?

    And with this malware, could attackers actually download illegal content to your computer?

  8. BelchSpeak

    September 29, 2015 at 9:16 pm #

    Hey TrafficHaus,

    As long as you allow other people to host their own ad content all the money you pay for malware scanning is flushed down the crapper.

    There is such a thing as the .htaccess file. Google it. Your ad scanning cannot defeat it.

    Want to stop malvertising? charge a whole lot more, get a zero tolerance for violators, and host the ads yourself, which is the only way to ensure they are not being tampered or swapped out by a script.

    Thank me very much.

Leave a Reply