xHamster Malvertising Campaign Continues, Now Distributes Browser Ransomware

[Batu69]

Bitdefender says it currently affects users in 50 countries

Browser ransomware message shown to French users

The malvertising campaign that hit xHamster's visitors exactly a month ago is still going on even today, as BitDefender's Alexandra Gheorghe is reporting.

The campaign, first detected and analyzed by the security researchers at Malwarebytes, relies on serving malicious code, disguised inside an ad for the Sex Messenger dating app, which then redirects xHamster's visitors to Web pages serving more dangerous viruses.

These malicious ads were actually part of a larger malvertising campaign that's been raging since mid-August, hosted on the infrastructure of TrafficHaus, an online advertising platform.

According to recent research carried out by Bitdefender's team, the campaign is still going on undisturbed, and in a recent twist in the methodologies used by the cyber-crooks, they are now delivering browser ransomware.

The campaign targets inexperienced Internet users

Browser ransomware is not actually ransomware because it does not encrypt any of the user's files, but more in the category of scareware, inoffensive malware meant to alarm users into paying a fictional fine or unlock fee.

“No malware is really executed on the machine, so encryption does not take place,” said Alexandru Rusu, Malware Researcher at Bitdefender. “Technically, this is not ransomware, it is a type of scareware that urges inexperienced users to pay up simply because their browser window is blocked.”

In this particular case, Bitdefender says that the browser ransomware message is not removed even if the ransom is paid.

To avoid contamination, Mr. Rusu advises that users use an ad blocker when visiting any particular site that looks shady or has aggressive ads, not just xHamster.

Bitdefender was kind enough to share with Softpedia the list of countries where malvertising campaign was detected active. This is a list of all country codes:

AE, AT, AU, BE, BH, CA, CH, CY, CZ, DE, DK, DZ, EG, ES, FI, FR, GB, GR, HR, HU, IE, IT, JO, KW, LB, LT, LU, LV, MT, MX, NL, NO, NZ, OM, PE, PL, PS, PT, QA, RO, SA, SE, SI, SK, TR, US, UY, YE.

Source

[knowledge-Spammer]

that site need work on it big time i think

[Holmes]

Good ohio isnt a target not good canada is i have friends and customers in canada that could get hit by this I think all of them are computer illiterate to.

[knowledge-Spammer]

u no its bad when malwarebytes team are on it

We are observing a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month.

In the past two days we have noted a 1500% increase in infections starting from xHamster.

Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within an apparent ad network.

Let’s take a closer look:

The main adult site links to traffichaus.com where the malicious advertising (malvertising) happens thanks to an iframe:

hxxp://musthave-media.org/tracking.php loads the malicious Flash file (1 detection on VT) from: hxxp://musthave-media.org/banner/count.swf which exploits the recent 0 day.

Upon successful exploitation, a malicious payload (Bedep) VT 2/57, is downloaded from:

hxxp://nertafopadertam.com/2/showthread.php

This attack looks similar than the one mentioned by Kafeine. What we see post exploitation is ad fraud as described here.

Malwarebytes Anti-Exploit protects you from this attack:

While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge.

[Holmes]

Thats why you go to a different adult site search google for free xxx lawls there are many sites I have never gone to xhamster anyway.

[DKT27]

Forget about just these sites, without an adblocker, I have personally come across similar malware based ads on Android on many sites.

[dcs18]

At xHamster, more than Adblock Plus, it is NoScript which blocks the truant scripts for me, without any irritating notification — NoScript also kicks-in much earlier than Adblock Plus does. ^_^

[steven36]

Forget about just these sites, without an adblocker, I have personally come across similar malware based ads on Android on many sites.

This another site were only styles are needed to use the site . You can use Watch with MPV Add-on to watch the videos no need for flash or allowing scripts .

MPV is great I have on windows and Linux . On Linux it can play more kinds videos than MPlayer so I have MPV powering SMPlayer.

SMPlayer + MPV is the best player in Linux . :) B)

Why don’t Google block these sites they block KAT and not these sites that have real Malware it shows what kind of world we live in . ;)