For more than a year the advertisements on the popular porn video and image sharing site PornHub were hijacked as part of a fraudulent scheme to infect the site’s visitors with malware, according to security researchers.

The campaign was recently shut down after cybersecurity firm Proofpoint discovered it but it is feared that millions of users located in the United States, Canada, the United Kingdom and Australia were exposed and many could have been infected by the Kovter malware while the attack was active.

Behind the campaign, according to Proofpoint, was the KovCoreG group—a collection of threat actors who are best known for their efforts to distribute the Kovter ad fraud malware more widely through a variety of tactics.

In order to carry out the attack, the KovCoreG group took aim at Traffic Junky, an advertising network that serves ads on the mobile and desktop versions of a number of websites—the vast majority of which are pornographic in nature. The network includes RedTube, YouPorn, XTube, xHamster and, of course, PornHub.

KovCoreG took specific aim at PornHub—and it’s pretty easy to see why. Despite the graphic content shared on the site, PornHub is one of the most trafficked locations on the web. It boasts more than 280 million impressions daily and is the 21st most visited site in the US and 38th in the world according to Alexa rankings.

To carry out the attack, the KovCoreG group injected malicious links within ads that would display on PornHub. When a visitor would click on one of the ads, they would be redirected to a website that claimed to offer a critical software update for their web browser—either Mozilla Firefox or Google Chrome—or for the popular Adobe Flash plugin.

If the user downloads the fake update, they are delivered a malicious payload that contains the Kovter malware. Once Kovter is installed on a machine, it takes control and begins to visit websites filled with advertisements that the malware clicks on in order to generate revenue for the attackers.

Kovter operates relatively silently on the system. The malware is effectively undetectable at first, as no changes to the machine can be seen and there is no new program that appears on the desktop. However the attack is quite persistent and can create problems for the victims over time as they are exposed to other malicious sites.

The attack could also evolve in future iterations, Proofpoint warned. While the payload now is malware that commits ad fraud, future versions could contain ransomware or other destructive malware that holds hostage or destroys sensitive information on the machine.

Since Proofpoint’s discovery of the attack, PornHub and Traffic Junky have taken steps to remove the attack and infected content that put website visitors at risk. The services reportedly acted swiftly once informed of the attack.

In order to ensure users haven't been infected by Kovter or other malware, Proofpoint advises anyone who has visited PornHub to run an anti-malware security scan to confirm their system was not compromised.

RELATED STORIES
Security Australia Canada United kingdom