An interesting demographic!

Whilst checking through some of the web threat data this morning, I noticed one attack using a couple of fake search sites I have seen used before. Of course, hackers using pornography in order to infect victims with malware is nothing new. One of the best examples is perhaps Zlob [1], a family which for two years has used the lure of porn to persuade people to run fake codec installers (which actually install the Trojan). Recently, this family gained a little more notoriety thanks to it targeting Mac users [2,3].

The attack I noticed this morning provides a perfect example of the perils of surfing pornographic content. Several pornographic sites were noted to contain iframe links to pages on two sites masquerading as search portals. These two sites are laden with keywords, presumably in an attempt to attract users via search engines [4]. Both sites are constructed in the same way and provide links to multiple porn sites.

The pages hosted on these two sites contain exploits (detected as Mal/Psyme-A and Exp/Animoo-A) that attempt to exploit browser vulnerabilities in order to download and install Trojans [5, 6].

[Overview of attack]

The central site (highlighted in yellow) was registered just a few months ago, and appears to have had a fairly high traffic rating ever since. The demographic for the site is not surprising:

This site reaches approximately 79,736 U.S. monthly uniques. The site caters to a rather male, HH income up to $60k audience.

The exploits are old (patches long since available), and the malware is all proactively detected. Nonetheless, this attack provides a good demonstration of how web threats use content to lure victims via search engine results. Whether the pornographic sites involved in this attack are themselves compromised or whether they are intended to load the malicious content is not known. But a number of observations including the similarities in the domain registration details make me suspect the latter.