The number of users attacked by malware out to steal premium access login data to popular adult websites more than doubled in a year, rising from around 50000 users in 2017 to 110000 users in 2018. In all, more than 850 000 attacks were detected.
This growth was accompanied by more offers of stolen credential for sale on dark web markets and an increase in the number of malware families launching attacks.
These and other findings are unveiled in Kaspersky Lab’s report on threats to users of adult websites in 2018.
While porn is usually considered a good decoy to attract victims to a malicious website or involve them in a fraud scheme, the adult content itself wasn’t previously considered worth hunting for. However, the new report shows that porn, namely premium accounts to porn websites, which include access to exclusive content, are gaining more and more attention from fraudsters.
To steal the credentials to a premium account on an adult-content website, cybercriminals distribute malware through botnets: chains of ‘bots’ or devices infected with malware capable of downloading additional malware depending on the goals of the botnet master.
In the case of credential stealing threats, these botnets are usually formed by versions of known Banking Trojans that were repurposed to attack users of adult websites. They intercept their victims’ data traffic and redirect them to fake web pages that mirror the authentic adult site the user is attempting to visit, capturing the credentials when the user tries to log in to their premium account.
Such an approach is increasingly popular among cybercriminals and usually leads to victims’ personal information being exposed and used by criminals. In addition, a victim can sometimes find themselves locked out of accounts for which they could be paying a subscription of $150 per year.
According to Kaspersky Lab’s researchers, the rising number of users facing such malware is matched by its intensified productivity. The number of porn-related attacks by these programs increased almost three-fold: from 307 868 attacks in 2017 to 850 000 in 2018. Such an increase could be linked to a rise in the number of malware families distributed by botnets to hunt for porn login credentials.
In 2018, Kaspersky Lab experts uncovered 22 variations of bots distributing five families of Banking Trojans for such attacks: Betabot, Gozi, and Panda – also known to target users of popular e-commerce brands – along with Jimy, and Ramnit. The last two, like Gozi are new to porn login attacks. In 2017, 27 variations of bots distributed just three malware families, Betabot, Neverquest and Panda.
The increase in attacks was accompanied by a rise in the number of offers related to stolen credentials on dark web markets: the research shows that in 2018 the number of unique offers for porn website premium access credentials doubled to reach more than 10 000, compared to around 5 000 in 2017. The price, however, remained the same – around $5 to 10$ for each account.
“Premium access credentials to porn websites might not seem the most obvious thing to steal,” says Oleg Kupreev, security researcher at Kaspersky Lab. “However, the fact that the number of sales offers relating to such credentials on the dark web is rising, and the increased efforts to distribute such malware, show that this is a profitable and popular line of illegal business.
“Users of adult-content websites should keep in mind that such malware can remain unnoticed on a victim’s device for a long time, spying on their private actions and allowing others to do the same, without logging the user out so as not to arouse their suspicion.
“Even those who simply visit the site but don’t have a premium account could be in danger, as they might risk exposing their private data.”
Kaspersky Lab researchers have also seen the number of attacks coming from phishing pages that pretending to be one of the major porn websites with free content grow more than 10 times in Q4 2018 comparing to Q4 2017.
Overall, the number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was 38 305. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were 37 144 attempts to visit the phishing version of the website, while there were only 1 161 attempts to visit Youporn, Xhamster, and Xvideos in total.