At this point, all attack attempts have been blocked, and they were blocked within 24 hours. We have established that there was a hack attempt on TrafficHaus, and not Xhamster. We believe that Xhamster is being unfairly targeted here as well as sex messenger app. The hacker made attempts to make it appear as if it was coming from messenger app and xhamster, but placing their code next to their ad unit in our system. Neither companies had anything to do with the attempt. Xhamster was pivotal in helping us catch the intrusion as well as information from their users. The attack was initially detected by a user complaint via Xhamster which were quickly acted upon to prevent further spread of the attempted malware attack. Our system flagged several attack attempts days before and do to the large audience of our clients and our ads we are of course a large target for these malicious attacks. All previous attempts were prevented, however this final attempt was not detected until after the malware had made it into the system, but was immediately blocked when made aware in less than 24 hours.
We have reviewed the logs, IPs, and accounts related to the malware injections. We are still investigating, and will update if we find out anything more. For now, it looks like the initial intrusion was via a user account hack in the czech republic and a Tor Exit Router in the US. We have the injection logged from a CZ IP Address (89.187.142.208) so we know it is related to the same incident as it corresponds with our change logs. When the hacker gained access to a password to one of our admin accounts, they injected that cookiecheck.js file into the advertiser’s creative on our side, making it look like it’s from the advertiser in attempts to make it more difficult to follow.
We believe the attack vector was unsecure wifi, as we had recently attended a conference in the Czech Republic.
We purged this from our system immediately upon finding it and it has been down since yesterday morning.
As Malwarebytes themselves and many tech blogs have said, we are more secure and more proactive at fighting malware than other systems on the internet. Xhamster and other pornsites we work with are not more dangerous than yahoo who was recently attacked as well or other sites. As they said we do allocate a lot of resources to fighting fraud and malware and more than most. We believe the shock value is just higher given the nature of the content:
“Segura told TechWeekEurope he didn’t think porn sites were necessarily more dangerous to visit than others with regards to this type of attack.
“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” he said. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.””
Read more at http://www.techweekeurope.co.uk/security/virus/xhamster-malware-malvertising-porn-177529#qoDTlM2wetublqOP.99
Currently TrafficHaus has a 2 factor authentication system which requires an SMS in order to log into an account. The IP location may have been the fault in allowing the user to bipass so we are adding on a secondary flag layer even if the IP is authorized. In addition we also have RiskIQ and GeoEdge simultaneously scanning all ads and creatives, and our own proprietary scans and business methodologies for catching and removing exploits. In addition to that we have revamped our SMS authentication system to add additional layers to users when logging in, and another layer of secondary notification restrictions when ads are approved and code is pushed live to ad units. We have scans for user activity to isolate any intrusions. Furthermore we work directly with malwarebytes and other adtech pioneers in the space that are helping to prevent the spread of these malicious software and thank them for their help.
For now, we purged this from our system immediately upon finding it and it has been down since late in the evening of the 24th of September, early morning the 25th. Xhamster and our other partners number 1 concern is their users, their user experience, and delivering the best possible experience to them. We believe that is tarnished when news articles are released post these sort of one off situations after attacks have been blocked and solutions have been implemented. We will continue to work with them and other leaders in the adult space to prevent and eradicate these types of attacks and preserve a safe browsing experience for all.