Cyber Incident Victim: RedTube
Date:
Feb 2015
Location:
United States of America
Summary
A major adult entertainment site experienced a compromise where attackers modified its main page source code to inject a hidden iFrame redirecting visitors to the Angler Exploit Kit, leveraging a Flash vulnerability to deliver malware from the Kazy Trojan family. The attack, distinct from malvertising campaigns, indicated unauthorized server access and resulted in information theft and persistent pop-up ads redirecting to additional exploit pages, prompting the victim to address the breach while highlighting ongoing risks of drive-by infections and evolving attack techniques.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2015, RedTube, a pornography website receiving over 300 million monthly visits, experienced a significant security breach when attackers compromised its servers and altered the main page’s source code to inject malicious redirection scripts. Unlike a contemporaneous malware incident involving xHamster, which relied on malicious advertisements, this attack embedded an invisible iFrame directly into RedTube’s infrastructure, executing without user interaction. The iFrame redirected visitors to the Angler Exploit Kit, a tool notorious for leveraging zero-day vulnerabilities in applications like Adobe Flash and Microsoft Silverlight. Researchers at Malwarebytes identified that the injected code exploited CVE-2015-0313, a critical Flash vulnerability disclosed earlier that year, to deliver payloads from the Kazy Trojan family. This malware family specialized in harvesting personal information and deploying persistent browser helper objects that generated intrusive pop-up ads and further redirects to exploit-laden pages. The presence of the malicious iFrame within RedTube’s core webpage code indicated attackers had gained sufficient access to modify the site’s foundational elements, suggesting a server-level compromise rather than a superficial ad-network intrusion.
The incident exposed millions of users to drive-by download attacks, wherein merely visiting RedTube triggered automatic malware installation if their Flash software was unpatched. The Kazy Trojan’s payloads posed dual risks: direct theft of sensitive user data and the propagation of additional malware through forced redirects and ad injections. RedTube acknowledged the breach and stated it had resolved the compromise, though the article did not specify the timeframe for detection or remediation. Security analysts emphasized that such exploit kit campaigns—whether via malvertisements, iFrame injections, or other drive-by methods—represented an escalating threat landscape, with innovations in attack techniques correlating to rising monthly incident volumes. The researchers reiterated the importance of defensive measures like anti-exploit tools, malicious website blockers, and ad blockers for mitigating similar risks, though RedTube’s specific countermeasures beyond removing the malicious code were not detailed in the report.