Proofpoint Cybersecurity researchers recently uncovered a massive abuse campaign that exposed millions of Internet users in the United States, Canada, the United Kingdom and Australia to malvertising attack.
Active for over a year and still in the course of the malicious campaign is run by a group of hackers called KovCoreG, which is well known for distributing malvertising attack Kovter that has been used in the malicious campaigns of 2015 and more recently in 2017.
The KovCoreG hacking group initially enjoyed P0rnHub, one of the most visited sites in the world, to distribute fake browser updates that worked on all three major Windows browsers, including Chrome, Firefox, and Microsoft Edge / Internet Explorer.
Also Read: 18 Android Hacking Tools 2017 With Download Links
According to Proofpoint researchers, campaign infections appeared on the P0rnHub Web pages through a legitimate advertising network called Drug Addict Traffic, which forces the user to install malicious Kovtar software on their systems.
Among other malicious things, Kovter malvertising attack is known for its unique persistence mechanism, which allows the malware to be loaded after each reboot of the infected host.
The ad network Traffic Junky has redirected users to a malicious website, in which Chrome and Firefox users have received a fake browser update window while users of Internet Explorer and Edge false Flash Update.
“The [infection] chain starts with a malicious redirection hosted [.] Com, which inserts a call hosted behind KeyCDN, an important content distribution network,” Proofpoint writes.
Also Read: 16 Natural Ways to Earn Money Online
The attackers used a series of filters and fingerprints to “time zone, screen size, history length of the current browser window and create a unique identifier through Mumour.”
Investigators said Chrome users were infected with JavaScript code that referred to the server controlled by the attackers, preventing security analysts from working in the infection chain if their IP had not been “checked.”
“This makes it extremely unlikely that JavaScript can run on its own and provide payload in a sandbox environment,” Proofpoint writes. “This is probably the reason why this component of the chain has not been documented before.”
In this case, attackers have limited their campaign for click fraud to generate illegal income, but Proofpoint researchers believe that malvertising attack could be easily modified to propagate ransomware, which steals information from Trojans or other malicious programs.
Also Read: Another Ethereum ICO Hacked: Ether party Breach
According to the researchers, P0rnHub and Traffic Junky “acted quickly to remedy this threat at the time of notification.”
Although this chain of infections has been successfully shut down after notification from the site operator and the ad network, the malicious campaign continues elsewhere.
