Proofpoint Cybersecurity researchers recently uncovered a massive abuse campaign that exposed millions of Internet users in the United States, Canada, the United Kingdom and Australia to malvertising attack.
Active for over a year and still in the course of the malicious campaign is run by a group of hackers called KovCoreG, which is well known for distributing malvertising attack Kovter that has been used in the malicious campaigns of 2015 and more recently in 2017.
The KovCoreG hacking group initially enjoyed P0rnHub, one of the most visited sites in the world, to distribute fake browser updates that worked on all three major Windows browsers, including Chrome, Firefox, and Microsoft Edge / Internet Explorer.
According to Proofpoint researchers, campaign infections appeared on the P0rnHub Web pages through a legitimate advertising network called Drug Addict Traffic, which forces the user to install malicious Kovtar software on their systems.
Among other malicious things, Kovter malvertising attack is known for its unique persistence mechanism, which allows the malware to be loaded after each reboot of the infected host.
The ad network Traffic Junky has redirected users to a malicious website, in which Chrome and Firefox users have received a fake browser update window while users of Internet Explorer and Edge false Flash Update.
“The [infection] chain starts with a malicious redirection hosted [.] Com, which inserts a call hosted behind KeyCDN, an important content distribution network,” Proofpoint writes.
Also Read: 16 Natural Ways to Earn Money Online
The attackers used a series of filters and fingerprints to “time zone, screen size, history length of the current browser window and create a unique identifier through Mumour.”
In this case, attackers have limited their campaign for click fraud to generate illegal income, but Proofpoint researchers believe that malvertising attack could be easily modified to propagate ransomware, which steals information from Trojans or other malicious programs.
According to the researchers, P0rnHub and Traffic Junky “acted quickly to remedy this threat at the time of notification.”
Although this chain of infections has been successfully shut down after notification from the site operator and the ad network, the malicious campaign continues elsewhere.