Millions of Pornhub users were targeted with a malvertising attack that sought to trick them into installing malware on their PCs, according to infosec firm Proofpoint.

By the time the attack was uncovered, it had been active “for more than a year”, Proofpoint said, having already “exposed millions of potential victims in the US, Canada, the UK, and Australia” to malware by pretending to be software updates to popular browsers.

Although Pornhub, the world’s largest pornography site with 26bn yearly visits according to data from ranking firm Alexa, and its advertising network have shut down the infection pathway, the attack is still ongoing on other sites.

The hack was carried out by a group known as KovCoreG, Proofpoint said, who hoped to infect users with an ad fraud malware known as Kovter. This type of malicious software is traditionally used as a form of online advertising fraud to generate money through clicks on fake adverts.

In this particular attack, visitors to Pornhub were redirected to a website which claimed to be offering a software update for their web browser, including Chrome and Firefox, or to the Adobe Flash plugin. If they downloaded and opened the file it installed Kovter, taking over their machine and using it to click on fake adverts. Those fake clicks then generated real money for the websites the adverts are hosted on - typically spam-filled sites no normal user would ever visit.

“While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware,” Proofpoint said. “Regardless, threat actors are following the money and looking to more effective combinations of social engineering, targeting and pre-filtering to infect new victims at scale.”

Pornhub did not reply to a request for comment.

Malvertising campaigns are a popular way for malware authors to spread their infections, said Javvad Malik, security advocate at AlienVault.

“In 2016, Google removed 112m bad ads which aside from malware, included illegal product promotion and misleading ads,” he said. “The issue being that there are insufficient controls to place an advert with an ad network, making it far easier to get a malicious app accepted by an official app store. This has led to an upturn in the number of reputable organisations distributing malvertising.”

Mark James, a security specialist at IT firm ESET, said that Pornhub was likely a preferred target for the bad actors. “The audience is possibly less likely to have security in place or active as people’s perception is that it’s already a dark place to surf,” he said. “Also, the user may be less likely to call for help and try to click through any popups or install any software themselves, not wanting others to see their browsing habits.”