Large Number of Adult Sites Distribute Malware Via AdXpansion Malvertising

Pornhub, YouPorn Latest Victims of Adult Malvertising Campaign

The xHamster malvertising campaign we wrote about last week was part of several attacks against many top adult sites. It is unclear whether this was a planned effort from threat actors but the timing is certainly strange.

Over the week-end we detected another incident affecting Pornhub and YouPorn, some of the biggest adult websites with a combined 800 million monthly visits (according to stats from SimilarWeb).


  1. Publishers:
  2. Ad network:{redacted}
  3. Malicious code:{redacted}
  4. Redirection to exploit kit:{redacted}
  5. Angler Exploit Kit:

Rogue advertisers abused the ExoClick ad network by inserting a seemingly legitimate piece of code as an ad banner. The first documented instance of the ‘cookiecheck.js‘ campaign appears to have taken place on Sept. 19th according to this tweet from malware hunter Malekal.


Fortunately, the malvertising on Pornhub and YouPorn did not last as long, thanks to an immediate action from both the publisher and ad network. Mindgeek, owner of the aforementioned websites released the following statement to us:

“We were alerted to the presence of a malicious advertisement appearing on a select few of Pornhub’s web properties. It was quickly determined that the malware originated from a third party advertising partner, and we responded immediately to disable all advertisements associated with this third party, and continue to actively investigate this incident.   Pornhub takes the safety and security of its users very seriously. Providing an optimal and secure customer experience is of topmost priority for Pornhub, and our organization has taken the necessary steps to protect our customer’s enjoyment without the threat of infection.

Our organization has implemented rigorous web security programs and processes and has partnered with the world’s leading security vendors, including RiskIQ, in an ongoing effort to fight malvertizing. MindGeek proactively audits all third party advertisements displayed on our site on a continual basis.

It is important to note that our sites are not delivering malware and we will continue to actively monitor the situation to safeguard our users.”

During the past several months, high profile malvertising attacks against top adult sites have been sparse. This makes what we have seen during the past couple of weeks very unusual but also impactful given the sheer volume of traffic these sites receive.

What’s more, the attack against top adult ad network TrafficHaus we documented last week may have been the result of a security breach, according to a comment left on security blogger Graham Cluley’s site.

Users should make sure that their computers are fully patched and protected with several layers of security (the 3 A’s is a very effective line of defense: Anti-exploit, Antivirus, Anti-malware) in order to defeat malvertising and drive-by download attacks.


Jérôme Segura

Principal Threat Researcher