Porn malvertising campaign hides links in cookies

A malvertising campaign running on a porn site is evading detection by storing links in cookies, according to the security company Malwarebytes.

Victims exposed to the malicious adverts, said to be provided by AdExpansion to PornUp, were redirected to a landing page that drops the Angler exploit kit on their systems, using a Google URL shortener to further hide its nature.

Jerome Segura, a senior security researcher at Malwarebytes, said: "There is literally no limit to the imagination when it comes to hiding malvertising attacks. While it makes for a good rainy Sunday night of reversing, these sneaky ways are delaying detection and infecting many users in the process.

"In this particular case the URL was built dynamically from a browser cookie rather than being stored in the HTML source itself. This is quite smart as it will bypass traditional security scanners looking for particular patterns or blacklisted URLs."

He added that he had reported the shortened URL to Google and it had immediately been blacklisted, but that the hackers had created an automated process to generate new ones spontaneously.

PornUp and AdExpansion have been contacted for comment.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing