The number of users attacked by malware out to steal premium access login data to popular adult websites more than doubled in a year, rising from around 50,000 users in 2017 to 110,000 users in 2018. In all, more than 850,000 attacks were detected. This growth was accompanied by more offers of stolen credential for sale on dark web markets and an increase in the number of malware families launching attacks. These and other findings are unveiled in Kaspersky Lab's report on threats to users of adult websites in 2018.
While porn is usually considered a good decoy to attract victims to a malicious website or involve them in a fraud scheme, the adult content itself wasn’t previously considered worth hunting for.
However, the new report shows that porn, namely premium accounts to porn websites, which include access to exclusive content, are gaining more and more attention from fraudsters.
In Pornhub’s global ranking released in December 2018, it revealed that Filipinos are consistently spending the most time on their site for five straight years. The adult website’s global average of users’ visit in the site is 10 minutes and 13 seconds while users from the Philippines stay for almost four minutes more.
To steal the credentials to a premium account on an adult-content website, cybercriminals distribute malware through botnets: chains of ‘bots’ or devices infected with malware capable of downloading additional malware depending on the goals of the botnet master. In the case of credential stealing threats, these botnets are usually formed by versions of known Banking Trojans that were repurposed to attack users of adult websites.
They intercept their victims’ data traffic and redirect them to fake web pages that mirror the authentic adult site the user is attempting to visit, capturing the credentials when the user tries to log in to their premium account. Such an approach is increasingly popular among cybercriminals and usually leads to victims’ personal information being exposed and used by criminals.
In addition, a victim can sometimes find themselves locked out of accounts for which they could be paying an annual subscription of US$150 or almost eight thousand pesos.
According to Kaspersky Lab’s researchers, the rising number of users facing such malware is matched by its intensified productivity. The number of porn-related attacks by these programs increased almost three-fold: from 307,868 attacks in 2017 to 850,000 in 2018.
Such an increase could be linked to a rise in the number of malware families distributed by botnets to hunt for porn login credentials.
In 2018, Kaspersky Lab experts uncovered 22 variations of bots distributing five families of Banking Trojans for such attacks: Betabot, Gozi, and Panda – also known to target users of popular e-commerce brands – along with Jimy, and Ramnit. The last two, like Gozi are new to porn login attacks. In 2017, 27 variations of bots distributed just three malware families, Betabot, Neverquest and Panda.
The increase in attacks was accompanied by a rise in the number of offers related to stolen credentials on dark web markets. The research shows that in 2018 the number of unique offers for porn website premium access credentials doubled to reach more than 10,000, compared to around 5,000 in 2017. The price, however, remained the same –– around US$5-10 for each account (or 261-522 pesos).
“Premium access credentials to porn websites might not seem the most obvious thing to steal. However, the fact that the number of sales offers relating to such credentials on the dark web is rising, and the increased efforts to distribute such malware, show that this is a profitable and popular line of illegal business. Users of adult-content websites should keep in mind that such malware can remain unnoticed on a victim’s device for a long time, spying on their private actions and allowing others to do the same, without logging the user out so as not to arouse their suspicion. Even those who simply visit the site but don’t have a premium account could be in danger, as they might risk exposing their private data,” said Oleg Kupreev, security researcher at Kaspersky Lab.
Apart from this notorious trend, Kaspersky Lab researchers have also seen the number of attacks coming from phishing pages that pretending to be one of the major porn websites with free content grow more than 10 times in Q4 2018 comparing to Q4 2017.
Overall, the number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was 38,305. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were 37,144 attempts to visit the phishing version of the website, while there were only 1,161 attempts to visit Youporn, Xhamster, and Xvideos in total.
“Although the number of phishing may seem high, it's important to note that in relation to the amount of site visits (33.5 billion visits in 2018), the percentage of phishing attempts is very small (less than .0001%). This low percentage rate can be attributed to the fact that Pornhub actively monitors and removes phishing websites and offers two-factor authentication when logging into PornHub accounts,” commented Pornhub on the issue in a statement.