[!] Malvertising campaign hit Adult Site xHamster - GoFuckYourself.com

MrGusMuller · 04-28-2015, 05:31 PM

Quote:

We identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google?s URL shortener service.

This incident reminds us of a similar one that happened at the end of January also involving the same ad network.

Simply going on xHamster?s website could infect a PC if the browser or one of its plugins was not up to date. We notified TrafficHaus which responded immediately to shutdown the malicious ad, helping to limit the number of victims.

The redirection chain used by the criminals was quite effective in that it only strikes one time per IP address and cleverly hides itself within an innocuous piece of code.

https://blog.malwarebytes.org/malver...hamster-again/

MrGusMuller · 04-28-2015, 05:35 PM

https://www.traffichaus.com/
is the ad network running the malware ad

xXXtesy10 · 04-28-2015, 06:07 PM

The Porn Nerd · 04-28-2015, 06:08 PM

This will cost sales.

PAR · 04-28-2015, 06:19 PM

By the sounds of it they removed the ad as soon as they knew about it.
No ad network is 100% malware free this is a sad reality.

The malware group that is using goolge's short url's has been at it for well over 2 years using this same setup. With their trigger being once per IP and targeting select browsers add to this them turning it on and off at different times of the day and sometimes off days at a time it makes it rather hard for any ad network to find before it's in the wild.

They have affected not only adult sites/ad networks but are also in the wild on the top main stream networks.

Chrome/google has flagged a number of times its own goo.gl short url service as an issue.

Google Safe Browsing diagnostic page for goo.gl

The Porn Nerd · 04-28-2015, 06:22 PM

Quote:

Originally Posted by PAR

By the sounds of it they removed the ad as soon as they knew about it.
No ad network is 100% malware free this is a sad reality.

The malware group that is using goolge's short url's has been at it for well over 2 years using this same setup. With their trigger being once per IP and targeting select browsers add to this them turning it on and off at different times of the day and sometimes off days at a time it makes it rather hard for any ad network to find before it's in the wild.

They have affected not only adult sites/ad networks but are also in the wild on the top main stream networks.

Chrome/google has flagged a number of times its own goo.gl short url service as an issue.

Google Safe Browsing diagnostic page for goo.gl

Crazy they can't contain it somehow. Google does control the domain, after all.
Shit like this does cost sales because for many malware = shady and once lost it's hard to get a customer's trust back.

Jel · 04-28-2015, 06:50 PM

got this while stroking one off last night using xhamster on my mobile. starting downloading some shit and couldn't back out of it, hit the home button thingo on my galaxy, and finished off my wank by restarting internetz. I should check my phone I guess.

PAR · 04-28-2015, 06:59 PM

Quote:

Originally Posted by The Porn Nerd

Crazy they can't contain it somehow. Google does control the domain, after all.
Shit like this does cost sales because for many malware = shady and once lost it's hard to get a customer's trust back.

Ya, it's one of the top 10 malware groups, google more than knows about them..
But even them scanning their own links isn't 100% and still leaves a big enough hole.
Can more be done...
Yes...

But I do not ever see a day where a surfer will ever see a message from an adult site that tells then they should get a proper AV or firewall software. Let alone a major mainstream site.

04-28-2015, 05:35 PM	#2
MrGusMuller Confirmed User Industry Role: Join Date: Oct 2010 Location: Portugal Posts: 1,262	https://www.traffichaus.com/ is the ad network running the malware ad __________________ StagCMS - Adult CMS - user friendly adult content management system - speed up your websites with no SQL connections ICQ: 632343*113

04-28-2015, 06:07 PM	#3
xXXtesy10 Fakecoin Investor Industry Role: Join Date: Jul 2012 Location: New Delhi, IN Posts: 7,127	__________________ WARNING: Stay Away From Marlboroack aka aka Brandon Ackerman https://gfy.com/21169705-post8.html Donny Long is Felon, Stalker, Scammer & Coward http://www.ripoffreport.com/reports/...lon-int-761244

04-28-2015, 06:08 PM	#4
The Porn Nerd Living The Dream Industry Role: Join Date: Jun 2009 Location: Inside a Monitor Posts: 19,532	This will cost sales. __________________ My Affiliate Programs: Porn Nerd Cash \| Porn Showcase \| Aggressive Gold Over 90 paysites to promote! Now on Teams: peabodymedia

04-28-2015, 06:19 PM	#5
PAR Confirmed User Industry Role: Join Date: May 2005 Posts: 1,835	By the sounds of it they removed the ad as soon as they knew about it. No ad network is 100% malware free this is a sad reality. The malware group that is using goolge's short url's has been at it for well over 2 years using this same setup. With their trigger being once per IP and targeting select browsers add to this them turning it on and off at different times of the day and sometimes off days at a time it makes it rather hard for any ad network to find before it's in the wild. They have affected not only adult sites/ad networks but are also in the wild on the top main stream networks. Chrome/google has flagged a number of times its own goo.gl short url service as an issue. Google Safe Browsing diagnostic page for goo.gl

04-28-2015, 06:50 PM	#7
Jel Confirmed User Industry Role: Join Date: Feb 2007 Posts: 6,904	got this while stroking one off last night using xhamster on my mobile. starting downloading some shit and couldn't back out of it, hit the home button thingo on my galaxy, and finished off my wank by restarting internetz. I should check my phone I guess.