RedTube Hacked: Popular Porn Site Hosted ID Stealing Malware, Fixed Sunday

With RedTube hacked Sunday, according to Gizmodo, visitors to the popular porn site lacking proper protection from the malware in question were likely exposed to a Trojan or two. That means that RedTube’s more than 300 million monthly users who visited Sunday are at risk of having their identities stolen.

The malicious code was found in an iFrame within the porn site’s source code, according to Malwarebytes, which means it is highly likely someone hacked the RedTube servers and placed the code there. The type of malicious code used in the iFrame would redirect unsuspecting users to other infected sites, which would download and install even more malware to the users’ device.

For those unaware of what an iFrame is, WP Beginner explains it as follows.

“An inline frame used inside a webpage to load another HTML document inside it. This HTML document may also contain JavaScript and/or CSS, which is loaded at the time when iframe tag is parsed by the user’s browser.”

One common example is embedding YouTube videos into websites built on WordPress, which adds the video while stripping all other content from the page, including comments and ads. If the iFrame hosting the video is infected, the malicious code can redirect users to any internet page they wish.

For example, a RedTube user might click a link and expect to end up at a soft porn website, but are redirected to a site hosting hardcore porn and malware instead.

The specific type of exploit kit used in the RedTube hack, according to Malwarebytes, was an identity theft kit called Angler Exploit Kit. Angler has been seen on the black market for just over a year now, and it’s become one of the more popular exploit kits available on the cyber underground.

According to security software maker Symantec, Angler Exploit Kit and websites connected with the kit are extremely dangerous because several attack methods are used to attack several different and popular software types, including the Internet Explorer browser and Windows 7 operating systems.

According to Malwarebytes, Angler has powered a number of zero day attacks, including some of the recent Microsoft Silverlight and Adobe Flash exploits.

While the Angler Exploit kit wasn’t used in a zero day attack against RedTube, Malwarebytes warns as follows.

“It’s ability to quickly and effectively infect a user with malware is what makes it so popular among cybercriminals.”

The hackers used the Angler exploit kit specifically because of its reputation for being fast at what it does. In this case, it infects visitors’ devices with malware. Often, in such cases, the infection can take hold and multiply on a device even before any programs can alert users to the problem – this is even truer when using certain browsers.

There are potentially even bigger security issues in the case of the RedTube hack, though – two to be exact.

The first security issue is the reason RedTube visitors use the site in the first place – it aggregates all types of pornography. People who partake in this type of Internet entertainment regularly know they should expect popups, redirects to other sites, and an endless sea of advertisements when they click links. This likely means RedTube users were not suspicious of any of the malicious popups or redirects the Angler Exploit Kit would have used.

The second issue could be worse – some people know that browsing “incognito” doesn’t stop their security software from tracking them, so they turn it off entirely.

Both of these issues likely made RedTube and its users juicy targets.

Although the Malwarebytes security software blog just reported the attacks today, and RedTube confirmed it was attacked in a statement to Gizmodo, RedTube said the following of the hack.

“Our security systems immediately detected the breach and we took direct action to rectify the situation in order to protect RedTube users. The situation was fully resolved by Sunday evening and there is no longer any risk to visiting RedTube.”

In other words, the Trojan exploit was only live for a few hours, and RedTube has already fixed the problem.

However, even though the exploit was stopped, there is still the risk of visitors from Sunday experiencing identity theft. If any user experienced a redirect Sunday, whether expected or not, it is possible that site the user ended up on contained malware.

While visitors to the popular porn site RedTube should not experience any infections from Sunday night on, those who visited Sunday evening and afternoon should do their due diligence and use security software, advised Malwarebytes. This is especially important for those who experienced redirects or popups, whether they were expected or not.

Malwarebytes has a full list of the hacked RedTube pages in addition to a sample of the malicious iFrame code.

[Photo by Sean Gallup/Getty Images]