A click-fraud malvertising attack that has hidden in the shadows for more than a year lost a major distribution vector when advertising network TrafficJunky and adult tube site Pornhub shut down a pathway that exposed millions of porn-site visitors in the U.S., Canada, U.K. and Australia to infection by Kovter malware.

The malicious-redirect attack, mounted by the KovCoreG Group, is ongoing and continues to affect other sites, according to the researchers at Proofpoint who spotted the exploit. Pornhub was of more concern than most because the site receives about 9 million unique visitors daily, they said.

“We do not have data on the precise length of time that Pornhub and TrafficJunky were compromised but, as noted, we know that the KovCoreG Group has been using this type of attack on multiple sites for over a year,” Proofpoint Vice President of Operations Kevin Epstein told Threatpost. “It is likely that Pornhub, in particular, was being abused for some time, although both Pornhub and TrafficJunky moved very quickly to address the issue as soon as we informed them of the problem.”

The user-facing attack combines social engineering with a slight variation of the tried-and-true fake browser update scheme to distribute Kovter click-fraud malware. The ruse works with all three major Windows web browsers.

Kovter is particularly vexing because it employs a unique triple-threat persistence mechanism that drops a registry entry, a .bat file shortcut and the .bat file itself into the victim’s operating system.

“Despite dramatic declines in exploit kit activity over the last year, malvertising remains a profitable enterprise for actors who can achieve sufficient scale and deliver malware effectively in a landscape where vulnerable machines are increasingly scarce,” Proofpoint researchers noted in a blog post. “To improve infection rates, criminals have turned to advanced filtering techniques and social engineering over the use of exploits.

“This campaign uses clever social engineering to trick users into installing fake updates that appear as soon as they visited a page containing a malicious ad,” the researchers noted. “Once users clicked on what they thought was an update file, they may not have even noticed a change in their systems as the malware opened an invisible web browser process, clicked on ads and generated potential revenue for cybercriminals.”

In this case, the cybercriminals’ actions may have cost advertisers some money, but the attack did no lasting harm. Things could have been much, much worse, the Proofpoint researchers warned.

“While the payload in this case is ad-fraud malware, it could just as easily have been ransomware, an information stealer or any other malware,” they wrote. “Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting and pre-filtering to infect new victims at scale.”