14 DAY TRIAL // Infections coming from an adult website have spiked lately, due to a malvertising campaign that pushed Flash Player exploits on systems that did not run the latest version of the application.
Security researchers observed a spike of infections coming from xhamster[.]com reaching a 1,500% increase. The security company that discovered the campaign did not reveal the initial number of compromises it recorded.
However, it is safe to assume that a significant number of visitors have been infected since the website is quite popular, with a global rank of 64 and 100 in the United States, according to metrics from Alexa. Moreover, 500 million individuals are estimated to access its content on a monthly basis.
Simple method used to push Flash Player exploit
Closer scrutiny revealed that the attack was a drive-by download, but it did not involve an exploit kit.
Malwarebytes says that the attackers relied on a simpler method that involved embedding a landing page and an exploit, both hosted on a compromised ad network (traffichaus[.]com).
The researchers say that the Flash exploit hurled to vulnerable systems goes undetected by antivirus engines, as shown by the scan result on VirusTotal.
They also note that the exploit depends on the Flash Player version available to the system, but code taking advantage of the recently patched zero-day vulnerability is also present on the list.
At the time of discovery, the security flaw affected all versions of Flash Player earlier than 16.0.0.296 running on any version of Windows operating system with any version of Internet Explorer and Mozilla Firefox; Google Chrome was not affected.
Ad-fraud is the main goal of the malvertising campaign
Just like in the case of Angler exploit kit, the compromised computer receives Bedep, a threat that can also be used for ad-fraud purposes.
“Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls,” was the conclusion of an analysis performed by Jerome Segura.
Malvertising campaigns on adult websites are quite common, but “this particular campaign is extremely active,” researchers say.
Adobe addressed the zero-day vulnerabilities exploited by Angler by releasing Flash Player 16.0.0.296 on Saturday. Automatic updates for Internet Explorer and Google Chrome browser plug-ins have already been pushed and the binaries for manual updating are also available.
