Image: Devin Edwards
A cybercrime group has been busy over the past months placing malicious ads on adult-themed websites in order to redirect users to exploit kits and infect them with malware.
Named Malsmoke, the group has operated on a scale far above similar other cybercrime operations and has abused “practically all adult ad networks.“
According to cyber-security firm Malwarebytes, which has been tracking Malsmoke’s attacks, for most of the time, the group has managed to place malicious ads (malverts) on mid-tier adult portals, but they recently “hit the jackpot” when they managed to sneak malverts on xHamster, one of the biggest adult video portals today, and one of the biggest sites on the internet, with billions of visitors each month.
The role of the group’s malicious ads was to use JavaScript trickery and redirect users from the adult portal to a malicious site that was hosting an exploit kit.
The exploit kits would then use vulnerabilities in Adobe Flash Player or Internet Explorer to install malware on the user’s computers, with the most common payloads being Smoke Loader, Raccoon Stealer, and ZLoader.
Naturally, only users still using Internet Explorer or Adobe Flash were targeted by these malicious ads.
The attacks can be considered as a last hurrah attempt to infect users with old-school hacking tools like exploit kits, whose usage has declined in recent years as modern browsers have become harder to hack.
Most exploit kits are built around vulnerabilities in Flash and IE, which has made them less efficient as most internet users have now either uninstalled Flash or moved to Chrome and Firefox.
With Flash being scheduled to reach end-of-life (EOL) at the end of the year, and with IE being slowly phased out by Microsoft, these are the last few months when malware gangs can still rely on exploit kits.
“Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser,” Malwarebytes said in a report published earlier this week.
“As a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player.”