Major Adult Website Gets Hacked, Malicious Iframe Leads to Angler EK

Posted on

ust like in the case of Jamie Oliver’s website, the cybercriminals did not resort to a malvertising campaign but hacked the servers of the adult location and planted malicious code straight into the main page source code.
Exploit flung at visitors with outdated Flash Player versions

Security researchers at Malwarebytes discovered the compromise on RedTube, a website providing adult content that ranks 128 on the popularity scale provided by Alexa. The estimated number of visits is 300 million per month.

The malicious code inserted on the website produces an iframe that is invisible to the user, pointing to two domains where Angler browser-based attack tool is hosted.

According to the analysis from Malwarebytes, Angler deploys an exploit for a Flash vulnerability (CVE-2015-0313) recently patched by Adobe.

Major Adult Website Gets Hacked
Major Adult Website Gets Hacked

Until the fix became available in Flash, the security bug had been leveraged in the wild through Hanjuan exploit kit.
RedTube confirms the attack

The researchers say that the end goal of the cybercriminals is installation of a malware family known as Kazy Trojan, which appears to be a variation of other malware families, downloader Ponik and Vundo Trojan.

“This family is known for stealing personal information from users as well as installing browser helper objects that spread pop-up ads, some redirecting to additional exploit pages and therefore more malware infections,” a blog post from Malwarebytes says on Wednesday.

It is not clear how the RedTube compromise occurred but the attack has a significant potential given the large number of visits the website enjoys on a monthly basis and the fact that users are slow at applying the latest patches for the browser plug-ins. Furthermore, infecting a vulnerable machine would occur without any sign of suspicious activity.

On Wednesday, RedTube confirmed the attack via Twitter, saying that it was detected on Sunday and that the necessary steps for mitigating the risk were taken within hours.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s