Security firm Malwarebytes is reporting that xHamster, one of the world’s most visited porn websites, has been hit by a sophisticated malware attack.
According to a blog post by researcher Jerome Segura, the malicious Angler exploit kit lies behind adverts for a dating application called “Sex Messenger”, and aside from xHamster has also affected other popular portal websites linking to adult content.
Before dropping its malware payload, the attack checks whether you are running Internet Explorer, and exploits the CVE-2013-7331 Microsoft.XMLDOM ActiveX control vulnerability in Microsoft Windows 8.1 and earlier.
Specifically, the Windows vulnerability is exploited in an attempt to determine whether the attack is being analysed on a computer running tools typically used by malware-hunting security researchers. Not that that was enough to stop analysis by Malwarebytes, of course.
Like other recent attacks it uses HTTPS encryption, making it trickier to spot malicious web traffic at the network layer.
Malwarebytes says that it informed TrafficHaus, the ad platform serving up the malicious ad, about the problem and it has since been removed. However, it’s a safe bet that other malvertising attacks are just around the corner.
Indeed, the researchers say that within a couple of days of the poisoned “Sex Messenger” ad was cleaned up, they spotted a separate malvertising attack on xHamster which served up the Browlock browser-based ransomware, demanding the user pays a fine for allegedly viewing “banned pornography”.
Unfortunately this isn’t the first time that xHamster, which is said to receive over 500 million visitors a month, has fallen foul of malicious ads. In January, malware-laced adverts on the site successfully infected visiting PCs with the Bedep Trojan horse.
Take care out there folks - keep your computer protected with up-to-date security software, ensure that your operating system and applications are fully patched, and consider running an ad blocker.