Top Adult Site RedTube Compromised, Redirects to Malware

[Reefa]

Blue movie website RedTube was stiffed over the weekend by a hacker who gave the site a rather nasty infection.

The porno purveyor inadvertently spread the seed of malware after a hacker compromised its servers and tweaked its homepage – exposing visitors to malicious code that attempted to exploit a security vulnerability in Adobe Flash.

According to researchers at MalwareBytes, an HTML iframe was used to silently thrust a web page hosting the Angler Exploit Kit at browsers. This software nasty tries to exploit Adobe's recently patched CVE-2015-0313 bug to run malicious code.

Had the attack succeeded, MalwareBytes says, a trojan, which included an ad-serving browser plugin and tools to collect the victim's personal information, would have slid balls deep into the Windows PC.

The website has been licked clean of the code, and a (purely educational) visit to the site did not turn up any alerts to malicious activity.

RedTube has yet to return a request for comment, though MalwareBytes reports that the biz removed the iframe "within hours" of it being spotted.

The site confirmed on Twitter today (Wednesday) that it was compromised on Sunday:

It's not clear how deep RedTube, part of the massive PornHub network, was penetrated; the site offers people accounts on its sorta-social-network so netizens can swap messages, share vids and whatnot. We've asked for more details.

RedTube is not the only porn site to have fallen victim to malware peddlers as of late. Last month, fellow adult outlet xHamster was found to be serving up a Flash file that exploited a zero-day flaw via a malicious advertisement.

Researchers also uncovered a massive malware operation that had spread by way of compromised porn sites

theregister.co.uk

[knowledge-Spammer]

DISCLAIMER: THIS POST INCLUDES SOME LANGUAGE AND TOPICS THAT MIGHT NOT BE SUITABLE FOR ALL READERS, PLEASE BE ADVISED AND PROCEED WITH CAUTION.

Top Adult Site RedTube Compromised, Redirects to Malware

February 18, 2015 | BY Malwarebytes Labs

DISCLAIMER: THIS POST INCLUDES SOME LANGUAGE AND TOPICS THAT MIGHT NOT BE SUITABLE FOR ALL READERS, PLEASE BE ADVISED AND PROCEED WITH CAUTION.

Update 2/18/15:

RedTube has confirmed the incident and said they addressed the hack:

As always we urge people to still use caution and keep their computers protected.

The continuing proliferation of malware attacks have made them a concern for any organization. This past Sunday, leading provider of adult content RedTube was exposed to an attack for a brief period of time. Our security systems immediately detected the breach and we took direct action to rectify the situation in order to protect RedTube users. The situation was fully resolved by Sunday evening and there is no longer any risk to visiting RedTube.

Redtube pursues stringent privacy requirements and maintains the highest industry standards of privacy protection to secure not only their assets and properties, but to provide comprehensive protection of their customers’ data when visiting a Redtube owned site. Redtube is committed to providing their customers with an optimal online experience and the peace of mind when they are accessing a RedTube site.

Original Story:

We’ve documented adult sites leading to malware before on this blog, but this one is a little bit different.

This time around, the source of the problem is not malvertising, but rather a malicious iframe placed directly in the source code of redtube[dot]com, a pornographic site that boasts over 300 million visits a month.

Overview

iframes

The attack doesn’t come from a malicious advertisement being loaded on the webpage, like was the case with xHamster, but rather the source code of RedTubes main page was modified to include a hidden piece of redirection code.

The code is executed inside of an iFrame, which is basically like a browser window inside of your browser window that can point to any website the attacker wants. In this case the iFrame is set to be completely invisible to the user and navigates to the following malicious URLs:

hxxp://tfx.pw/a.jshxxp://fuck.fpmenziken.ch/adShowMe.jsp?zoneid=27&bannerid=2&chid=341aa8fca26bcff7830499c1c5f8e359

The existence of the iFrame in the main page source code is evidence enough to say that RedTube servers were likely hacked by malicious actors who had access to the main page source code, adding the malicious code and then setting it loose on RedTube users.

Exploit Kit (Angler EK)

The Angler Exploit Kit has been one of the more prominent exploit kits on the cyber black market for the last year, being used in zero day attacks against applications like Flash and Silverlight. It’s instance in this case doesn’t use a zero day exploit, however it’s ability to quickly and effectively infect a user with malware is what makes it so popular among cybercriminals. The pages directly involved with the exploit kit are as follows:

hxxp://replenisht-dyletantyzm.latinbrothersmusic.com/io5h8d19i3.phphxxp://replenisht-dyletantyzm.latinbrothersmusic.com/9E4aI_T3BSf0HXpKG_1f-gNLcItlXc8fnVsgRFGib8jC_hw-ySQKzEHvsQP08slMhxxp://replenisht-dyletantyzm.latinbrothersmusic.com/XaN63jVCo9-NC1KsRn7nfMKIXpGreKpqo8UDRna5HHoBKjrIcRWibrIW1Av8mk4K

Angler EK uses the more recently discovered Flash Exploit CVE-2015-0313 (Zero-Day) and once it exploits the user’s browser, will attempt to drop malware detected by Malwarebytes Anti-Malware as Trojan.FakeMS.Ed. Other security vendors detect the malware as belonging to the Kazy Trojan family.

This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections.

Anti-Exploit protection

Malwarebytes Anti-Exploit proactively detects and blocks the exploit before it gets the chance to download and run malware.

Exploit infections, either through drive-by methods, malvertisement or malicious iFrame injections have been a problem for users and organizations alike for years and rather than it slowing down, new discoveries in attach technology has only increased the amount of attacks happening every month.

It is then highly advised that looking into anti-exploit, malicious webpage blocking and advertisement blocking solutions is in the best interest of all users.

https://blog.malwarebytes.org/exploits-2/2015/02/top-adult-site-redtube-compromised-redirects-to-malware/?utm_source=twitter&utm_medium=social

[psyko666]

Old news.. FEBRUARY 18

[GRiM]

Old news.. FEBRUARY 18

It's only couple of days and it hadnt been posted yet so chill out.

[knowledge-Spammer]

it wos a update like what happed to

Top adult site xhamster victim of large malvertising campaign

We are observing a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month.

In the past two days we have noted a 1500% increase in infections starting from xHamster.

Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within an apparent ad network.

Let’s take a closer look:

The main adult site links to traffichaus.com where the malicious advertising (malvertising) happens thanks to an iframe:

hxxp://musthave-media.org/tracking.php loads the malicious Flash file (1 detection on VT) from: hxxp://musthave-media.org/banner/count.swf which exploits the recent 0 day.

Upon successful exploitation, a malicious payload (Bedep) VT 2/57, is downloaded from:

hxxp://nertafopadertam.com/2/showthread.php

This attack looks similar than the one mentioned by Kafeine. What we see post exploitation is ad fraud as described here.

Malwarebytes Anti-Exploit protects you from this attack:

While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge.

[steven36]

Pornhub will be next lol , 1st it was xHamster now its redtube ... Malwares like these can easily be prevented by using and addon like Policeman that blocks cross site scripting . Were you can add only the scripts necessary to run a site that plus a good adblocker like Ublock :D

[Reefa]

Old news.. FEBRUARY 18

It's only couple of days and it hadnt been posted yet so chill out.

Already posted here.. >>//www.nsaneforums.com/topic/240426-rap-for-fap-stack-in-hack-trap-flap-this-xxx-site-caught-an-sti-script-transmitted-infection/

[knowledge-Spammer]

Old news.. FEBRUARY 18

It's only couple of days and it hadnt been posted yet so chill out.

Already posted here.. >>//www.nsaneforums.com/topic/240426-rap-for-fap-stack-in-hack-trap-flap-this-xxx-site-caught-an-sti-script-transmitted-infection/

did not see your post sorry about that

[Reefa]

Old news.. FEBRUARY 18

It's only couple of days and it hadnt been posted yet so chill out.

Already posted here.. >>//www.nsaneforums.com/topic/240426-rap-for-fap-stack-in-hack-trap-flap-this-xxx-site-caught-an-sti-script-transmitted-infection/

did not see your post sorry about that

No probs m8 might be an idea to merge as yours may have a few more details.. peace

[steven36]

Blah, blah, blah.

Some sites are harder to configure than others to render right so it make take you a bit to set it right policeman but I like tinkering with things

Sites like majorgeeks works fine like it is

The pink ones are all the scripts it blocks ..I try to share with you some useful info ..

[Reefa]

Blah, blah, blah.

Some sites are harder to configure than others to render right so it make take you a bit to set it right policeman but I like tinkering with things

Sites like majorgeeks works fine like it is

The pink ones are all the scripts it blocks ..I try to share with you some useful info ..

By the way m8 thx for the heads up about "Policeman" i have now ditched no-script.. :rolleyes:

[knowledge-Spammer]

litlle video about

[steven36]

litlle video about

Nice video, yes sites like the independent is why you still need a ad blocker for image and element blocking because at that site ads are hosted from the site its self there built into the styles of the site . If you block styles it wont look right ;)