ust like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.
Exploit flung at visitors with outdated Flash Player versions
Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.
The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where Angler browser-based attack tool is hosted.
According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.
Until the fix became available in Flash 22.214.171.1245, the security bug had been leveraged in the wild through Hanjuan exploit kit.
RedTube confirms the attack
The researchers say that the end goal of the cybercriminals is installation of a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.
“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes says on Wednesday.
It is not clear how the RedTube compromise occurred but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.
On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.