A security firm has identified a malvertising campaign that is using a fraudulent Flash advert as its exploit to target dozens of adult websites.
Jérôme Segura, Senior Security Researcher at Malwarebytes, observes in a blog post how the campaign is particularly noticeable given the number and popularity of the affected sites.
Together, the adult websites targeted by the campaign serve a combined total of more than 250 million visitors a month.
The campaign consists of an advert for sexual enhancement drugs that is loaded whenever a user visits one of the affected sites. This advertiser is fraudulent, as Segura’s analysis reveals, and it carries the sole purpose of delivering a malicious Flash exploit:
The exploit itself consists of ActionScript3 code that contains deceiving module names, such as “_SafeStr_1.” It affects users who have Flash Player version 18.104.22.168 and below installed, and it has the capability of dropping multiple malicious binaries in a manner that mimics the Neutrino Exploit Kit, as security researcher Kafeine has revealed.
“It is interesting to see the trend of exploit kits taking the appearance of advertisers by leveraging Flash for serving the ‘creative’ exploit in one single package,” Segura notes in his post.
“It is a minimalist type of approach which seems to work quite efficiently.”
As another post published by Segura reveals, attackers are able to launch malvertising campaigns and evade ad networks’ security checks by posing as representatives of a Fortune 500 company and first sending along a clean advert. Just prior to being published, the attackers send along their fraudulent advert, claiming it only has “minor changes.” The ad networks then push out this advert rather than risk losing business with a potentially lucrative customer.
Adult websites are notorious for malvertising campaigns and other malware-based attacks. Last November, Malwarebytes identified another instance of malvertising via AdXpansion and Google shortened URLs, only this time the campaign led users to the Angler Exploit Kit.
More recently, Tripwire reported on another attack campaign back in January in which attackers used a Flash exploit to deliver the Bedep malware to visitors of the adult website xHamster.