xHamster adult site infects computers through malicious Sex Messenger ad

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Security firm Malwarebytes is reporting that xHamster, one of the world’s most visited porn websites, has been hit by a sophisticated malware attack.

Xhamster

According to a blog post by researcher Jerome Segura, the malicious Angler exploit kit lies behind adverts for a dating application called “Sex Messenger”, and aside from xHamster has also affected other popular portal websites linking to adult content.

Before dropping its malware payload, the attack checks whether you are running Internet Explorer, and exploits the CVE-2013-7331 Microsoft.XMLDOM ActiveX control vulnerability in Microsoft Windows 8.1 and earlier.

Sign up to our free newsletter.
Security news, advice, and tips.

Specifically, the Windows vulnerability is exploited in an attempt to determine whether the attack is being analysed on a computer running tools typically used by malware-hunting security researchers. Not that that was enough to stop analysis by Malwarebytes, of course.

Like other recent attacks it uses HTTPS encryption, making it trickier to spot malicious web traffic at the network layer.

Malwarebytes says that it informed TrafficHaus, the ad platform serving up the malicious ad, about the problem and it has since been removed. However, it’s a safe bet that other malvertising attacks are just around the corner.

Indeed, the researchers say that within a couple of days of the poisoned “Sex Messenger” ad was cleaned up, they spotted a separate malvertising attack on xHamster which served up the Browlock browser-based ransomware, demanding the user pays a fine for allegedly viewing “banned pornography”.

Browlock ransomware

Unfortunately this isn’t the first time that xHamster, which is said to receive over 500 million visitors a month, has fallen foul of malicious ads. In January, malware-laced adverts on the site successfully infected visiting PCs with the Bedep Trojan horse.

Take care out there folks – keep your computer protected with up-to-date security software, ensure that your operating system and applications are fully patched, and consider running an ad blocker.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

11 comments on “xHamster adult site infects computers through malicious Sex Messenger ad”

  1. gman

    If you're not already, use adblock!

    1. coyote · in reply to gman

      Or NoScript (which covers a lot more although many might consider the inconvenience too extreme). This goes for all content, of course.

  2. Techno

    Best to browse adult sites in a sandbox if you ask me.

  3. adrian

    Someone emailed me unsolicited porn for years. And I don't even click on pictures of people kissing. I would request to be taken off their mailing list…nothing. I would cuss them out. Nothing. I actually mailed a court summons to one of them. The sheriff could not serve it…he said the physical address did not exist. At's what happens when you are a supersaint :)

    1. coyote · in reply to adrian

      Never request being removed from a list that you didn't subscribe to. Never believe their rubbish disclaimer, either (actually, some people feel that email disclaimers are worth a lot more than they are – e.g. when declaring it is for private eyes only; too bad email isn't private and if they want it to be that way they should encrypt it [with the risk that the recipient would be able to decrypt and therefore share it] or better yet not send it). Doing the former won't do any good and the latter is only an attempt to make one think it is legit (which it obviously isn't). There is an exception: depending on their provider you can report the mail to their abuse department as UBE (unsolicited bulk email). But finding that email requires a bit more work (but nothing much to speak of). Usually is abuse@ something (but not of the domain of the sender!).

  4. coyote

    'Unfortunately this isn't these aren't the first times that xHamster, which is said to receive over 500 million visitors a month, has fallen foul of malicious ads.'

    I think there is an unnatural flow of words going on there. Or am I really that wasted ?

    1. Graham CluleyGraham Cluley · in reply to coyote

      :) I think I must have been the wasted one. Now fixed.

  5. TrafficHaus

    At this point, all attack attempts have been blocked, and they were blocked within 24 hours. We have established that there was a hack attempt on TrafficHaus, and not Xhamster. We believe that Xhamster is being unfairly targeted here as well as sex messenger app. The hacker made attempts to make it appear as if it was coming from messenger app and xhamster, but placing their code next to their ad unit in our system. Neither companies had anything to do with the attempt. Xhamster was pivotal in helping us catch the intrusion as well as information from their users. So far there have only been 6 user complaints that we know about. The attack was initially detected by a user complaint via Xhamster which were quickly acted upon to prevent further spread of the attempted malware attack. Our system flagged several attack attempts days before and do to the large audience of our clients and our ads we are of course a large target for these malicious attacks. So far All previous attempts were prevented, however this final attempt was not detected until after the malware had made it into the system, but was immediately blocked when made aware in less than 24 hours.

    We have reviewed the logs, IPs, and accounts related to the malware injections. We are still investigating, and will update if we find out anything more. For now, it looks like the initial intrusion was via a user account hack in the czech republic and a Tor Exit Router in the US. We have the injection logged from a CZ IP Address (89.187.142.208) so we know it is related to the same incident as it corresponds with our change logs. When the hacker gained access to a password to one of our admin accounts, they injected that cookiecheck.js file into the advertiser’s creative on our side, making it look like it’s from the advertiser in attempts to make it more difficult to follow.
    We believe the attack vector was unsecure wifi, as we had recently attended a conference in the Czech Republic.
    We purged this from our system immediately upon finding it and it has been down since yesterday morning.
    As Malwarebytes themselves and many tech blogs have said, we are more secure and more proactive at fighting malware than other systems on the internet. Xhamster and other pornsites we work with are not more dangerous than yahoo who was recently attacked as well or other sites. As they said we do allocate a lot of resources to fighting fraud and malware and more than most. We believe the shock value is just higher given the nature of the content:
    “Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.
    …..

  6. TrafficHaus

    “There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.””
    Read more at http://www.techweekeurope.co.uk

    Currently TrafficHaus has a 2 factor authentication system which requires an SMS in order to log into an account. The IP location may have been the fault in allowing the user to bipass so we are adding on a secondary flag layer even if the IP is authorized. In addition we also have RiskIQ and GeoEdge simultaneously scanning all ads and creatives, and our own proprietary scans and business methodologies for catching and removing exploits. In addition to that we have revamped our SMS authentication system to add additional layers to users when logging in, and another layer of secondary notification restrictions when ads are approved and code is pushed live to ad units. We have scans for user activity to isolate any intrusions. Furthermore we work directly with malwarebytes and other adtech pioneers in the space that are helping to prevent the spread of these malicious software and thank them for their help.

    For now, we purged this from our system immediately upon finding it and it has been down since late in the evening of the 24th of September, early morning the 25th. Xhamster and our other partners number 1 concern is their users, their user experience, and delivering the best possible experience to them. We believe that is tarnished when news articles are released post these sort of one off situations after attacks have been blocked and solutions have been implemented. We will continue to work with them and other leaders in the adult space to prevent and eradicate these types of attacks and preserve a safe browsing experience for all.

  7. Jimbo

    Graham,

    I do not use xhamster but out of pure curiosity and admittedly paranoia, was this attack only possible if the site was accessed on IE?

    And with this malware, could attackers actually download illegal content to your computer?

  8. BelchSpeak

    Hey TrafficHaus,

    As long as you allow other people to host their own ad content all the money you pay for malware scanning is flushed down the crapper.

    There is such a thing as the .htaccess file. Google it. Your ad scanning cannot defeat it.

    Want to stop malvertising? charge a whole lot more, get a zero tolerance for violators, and host the ads yourself, which is the only way to ensure they are not being tampered or swapped out by a script.

    Thank me very much.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.