ThreatList: Porn-Focused Malware Triples, Dark Web Loves It

porn fake site phishing

Premium-access credentials to porn sites are hot in the cyber-underground, as credential-harvesting malware proliferates.

Credential-stealing malware targeting premium accounts on adult websites almost tripled in 2018, corresponding with a rise in the number of offers related to stolen porn credentials on Dark Web markets.

That’s according to Thursday research from Kaspersky Lab, which found that the malware is typically some kind of repurposed banking trojan; the bad code, organized into botnets, intercepts victims’ internet traffic and redirects them to fake webpages that mirror an authentic adult site they are attempting to visit. From there, it’s an easy phish to harvest credentials.

In addition to exposing victims’ personal information, these attacks can also lead to victims being locked out of their account, for which they could be paying a yearly subscription of up to $150, according to the analysis.

Pornhub was the most commonly copied page, with Kaspersky Lab detecting 37,144 attempts to visit phishing versions of the No. 1 adult website; that’s compared to just 1,161 total attempts to visit phishing versions of Youporn, Xhamster and Xvideos.

“Although the number of phishing may seem high, it’s important to note that in relation to the amount of site visits (33.5 billion visits in 2018), the percentage of phishing attempts is very small (less than .0001%),” Pornhub said in a statement. “This low percentage rate can be attributed to the fact that Pornhub actively monitors and removes phishing websites and offers two-factor authentication when logging into Pornhub accounts.”

The number of malware attacks attempting to steal porn website credentials increased almost three-fold in just a year, Kaspersky Lab found, rising from 307,868 attack attempts in 2017 to more than 850,000 in 2018.

“Based on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking trojans, attempting to steal credentials (Betabot, Neverquest and Panda),” according to the report. “These trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.”

The number of variations of malware spotted fell from 27 to 22, but the number of families increased from three to five, indicating the increasing popularity of pornography credentials in the underground.

In 2018, Kaspersky Lab experts found around 10,000 unique offers for premium-access credentials to porn websites, approximately double the number of offers seen in 2017. The price, however, remained the same – around $5 to $10 for each account.

“Premium access credentials to porn websites might not seem like the most obvious thing to steal,” said Oleg Kupreev, security researcher at Kaspersky Lab, in a media statement. “However, the fact that the number of sales offers relating to such credentials on the Dark Web is rising, and the increased efforts to distribute such malware, shows that this is a profitable and popular line of illegal business.”

Cybercriminals that buy the credentials can monetize these in many ways, including taking the stolen access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription. Other techniques include social-engineering/extortion of the original user, using them to crack other accounts and so on.

In analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb – an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers’ feedback – Kaspersky Lab found that all of them contained one to more than 3,000 offers for credentials to adult-content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts for pornography websites.

There’s another kind of threat to adult-site visitors: Bad actors are also using fake porn websites to distribute various kinds of malware.

“Most malware that reaches users’ computers from malicious websites is usually disguised as videos,” the report explained. “Users who do not check the file extension and go on to download and open it are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar.”

To attract users to the malicious websites in the first place, the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results – i.e., the adversaries change malicious websites’ content and descriptions so they appear higher up on the search results pages. For instance, cybercriminals are actively using popular porn tags (such as “Pornstar” or “HD-porn”) to promote malware in search results. In 2018, 87,227 unique users downloaded malware disguised as porn, the report found.

porn malware payload

Porn Payloads: Click to Enlarge

As for payloads, there’s a wide variety of porn-themed malware samples out there, with Kaspersky Lab observing 642 families and 57 types of PC threats.

Kupreev noted that this means the risk to adult-content enthusiasts actually goes beyond simple account compromise.

“Users of adult-content websites should keep in mind that such malware can remain unnoticed on a victim’s device for a long time, spying on their private actions and allowing others to do the same, without logging the user out so as not to arouse their suspicion,” he said. “Even those who simply visit the site but don’t have a premium account could be in danger, as they might risk exposing their private data.”

And indeed, trojan-downloaders are rising in popularity as a payload in these kinds of attacks, the research found, coming in as the No. 1 payload on PCs with a 45 percent share.

“This can be explained by the fact that such malicious programs are multipurpose: once installed on a victim’s device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking trojans,” the report noted. “As a result, a criminal would need to infect the victim’s device only once and would then be able to use it in multiple malicious ways.”

On Android devices, 89 percent of infected files disguised as pornography turned out to be adware.

Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8 percent of them using a corporate rather than personal network to do this.

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET.

Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout join Threatpost senior editor Tara Seals.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.

 

 

Suggested articles