Large Number of Adult Sites Distribute Malware Via AdXpansion Malvertising

[Batu69]

While malvertising activity on adult sites has been ‘relatively’ quiet for some time, we started picking up dozens of attacks on moderately popular XXX portals, where moderate still means millions of daily visitors.

The modus operandi is quite straightforward and facilitated by a compromised Flash advert directly hosted and served by AdXpansion, an adult ad network, which triggers a hidden Flash exploit loaded from a seemingly innocent XML file. This technique has been used before in other self-sufficient Flash ad/exploit attacks.

This malvertising campaign has been running since at least Nov 21 and is affecting hundreds of adults sites. As soon as the rogue Flash advert is displayed in the browser (no click on it is required) it will attempt to load the exploit code.

Notable sites that were affected include:

• drtuber.com (55.3 M)
• nuvid.com (41.9 M)
• eroprofile.com (14M)
• iceporn.com (6.9M)
• xbabe.com (4.2M)

Monthly traffic in millions, according to SimilarWeb.

The malicious advert:

Malwarebytes Anti-Exploit blocks the malicious advert when it attempts to load the remote exploit shell code.

Technical details

An attack on drtuber.com

[GateMate]

why would you be using IE?