Users in the US, UK, Canada and Australia were systematically targeted by a malware advertising campaign, according to a report released by Information Security firm, ProofPoint.

Known as ‘malvertising,’ the attack by malware group KovCoreG tricked users of the world’s most popular porn site, Pornhub, into installing fake browser updates and then clicking on pay-per-click adverts in the background, without the unwitting users ever knowing.

The news is significant. Pornhub is the world’s largest pornography site and had some 26 billion visits last year, according to data ranking firm Alexa.

Kovter Group malvertising campaign exposes millions to potential ad fraud malware infections

PornHub visitors didn’t know the difference unfortunately.

Fake update

PornHub users were targeted by being redirected to a website when clicking on content, which said there was a software update for their web browser that they should install for their browser. The browsers included in the fake update then showed a message specific to whatever browser they were using, such as Chrome or Firefox. When the fake ‘update’ was downloaded, it installed the malware known as ‘Kovtar.’ This then was used by the fraudster criminals to fake click on adverts. However, these clicks made money for criminals. 

Fake ads

By installing ‘Kovter’, users effectively handed over control of their machine to the hackers without realizing it. Users machines then started clicking in fake adverts (supplied by the hackers) that in turn generated real money for the websites the adverts are hosted on.

“The combination of large malvertising campaigns on very high-ranking websites with sophisticated social engineering schemes that convince users to infect themselves means that potential exposure to malware is quite high, reaching millions of web surfers,” said the ProofPoint report, published on their website.

Courtesy of KovCoreG

The hack was carried out by a group known as KovCoreG, Proofpoint said, hoping to infect users computers with a specific type of ad fraud malware known as Kovter. Kovter is just the one of latest modern versions of malicious software used for on line advertising fraud to generate money for its creators through clicks on fake adverts.

While the infection has now been removed from PornHub, the malware itself is still very much alive, and a variant will no doubt resurface in time, most likely through the Traffic Junky advertising network it initially took advantage of.

Chilling warning

ProofPoint had this chilling warning to say about the well concealed attack on PornHub and its users: “While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware. Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting, and pre-filtering to infect new victims at scale.”

Keep yourself safe online. Check out the latest and best anti-malware software on the market now, right here on FileHippo.com.