A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond.

Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware.

The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot.

Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising.

The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection.

The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware.

A Web Filtering Solution Can Block Malvertising Attacks

Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can prevent malware infections.

Unless you work in the adult entertainment industry, employees should be prevented from accessing pornography at work. Most organizations include pornography in their acceptable usage policies. However, unless a filtering solution is implemented to block access, some employees are likely to break the rules. You could have a policy in place that states accessing pornography at work will result in instant dismissal. However, if anyone breaks the rules, it is not just their job that is on the line. Your network could be infected with malware.

Of course, cybercriminals do not just use adult websites for malicious adverts. Malvertising can appear on any website that includes ad blocks from third party advertisers. Since these ad blocks are an important source of revenue, many popular websites use them – Websites that are likely to feature heavily in your Internet access logs. The New York Times website for example, or the BBC and MSN.

This Pornhub malvertising campaign required a manual download, although oftentimes users are directed to sites where malware is downloaded automatically using exploit kits. If you are fully patched, you are likely to avoid an infection, but it is easy to miss a patch. The massive Equifax data breach showed how easy it is for a patch to be missed, as did the Wannacry ransomware attacks.

Considering the cost of resolving a malware infection, phishing attack, or ransomware installation, a web filtering solution is likely to pay for itself. Add to that the increase in productivity from blocking access to certain categories of websites and the improvements to your profits can be considerable.

If you are not yet using a web filter, or are unhappy with the cost of your current solution, give TitanHQ a call today and find out more about the savings you could be making.