Understanding The Porn + Malware Connections

CAMBRIDGE — For a minimal investment of about $160, a single porn site operator can infect more than 20,000 computers with malware for use in cybercrime, according to an academic study presented at the Workshop on the Economics of Information Security (WEIS 2010).

CAMBRIDGE — For a minimal investment of about $160, a single porn site operator can infect more than 20,000 computers with malware for use in cybercrime, according to an academic study presented at the Workshop on the Economics of Information Security (WEIS 2010).

The research team presented a detailed look at the online adult industry and mapped a lot of malicious Web activity to porn site operators who use a variety of deceptive tricks and questionable practices to make money.

“Common belief suggests that adult web sites tend to be more dangerous than other types of web sites, considering well-known web-security issues such as malware, or script based attacks. Our results verify this assumption, and in addition, we show that many adult web sites use aggressive marketing and advertisement methods that range from “shady” to outright malicious. They include techniques that clearly aim at misleading web site visitors and deceiving business partners,” the research team said.

The team, which included researchers from Secure Systems Lab, Technical University Vienna, Institute Eurecom, Sophia Antipolis and the University of California, Santa Barbara, set up their own adult content business during the course of the study and found it was relatively easy — and inexpensive — to launch malicious attacks from porn sites.

“For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild,” the group said.

During the study, the team manually examined about 700 pornographic web sites to get a grasp on the basic model of the industry’s economic system.  After that, the researchers created a system that crawls adult web sites and extracts information from them to automatically gather additional data.

The group found that the online porn industry was segmented into several categories — pay-per-view content sites, link collectors and traffic traders, pornographic search engines, domain redirector services, keyword-based redirectors and traffic brokers.

Using an automated tool to crawl a total of 269,566 URLs belonging to 35,083 porn sites, the group found the so-called “free sites” to be the most dangerous.

“For either economic role, we found a relatively large number of web sites that use questionable methods and techniques that can best be described as “shady.” Unlike well-known web-based attacks and malicious activities (such as drive-by downloads), these practices directly aim at manipulating and misleading a visitor to perform actions that result in an economic profit for the web site operator. Overall, we found free sites to employ at least one of these techniques more often (34.2%) when compared to pay sites (11.4%),” the researchers said.

The shady techniques included the use of JavaScript catchers (client-side scripts that hijack the user’s browser, preventing them from leaving the web site); blind links (client-side scripting via JavaScript to obscure link destinations, effectively preventing the addresses from being displayed in the web browser’s status bar), redirector scripts, redirector chains and iframe malware attacks.

In some cases, the study found that porn sites launching drive-by download attacks were originally exploited themselves and were not intentionally serving malware.

A full version of the research paper can be downloaded here
 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.